[Bug 668878] New: Kernel crash when trying to mount extended partition with reiserfs option
https://bugzilla.novell.com/show_bug.cgi?id=668878 https://bugzilla.novell.com/show_bug.cgi?id=668878#c0 Summary: Kernel crash when trying to mount extended partition with reiserfs option Classification: openSUSE Product: openSUSE 11.4 Version: Milestone 6 of 6 Platform: Other OS/Version: Other Status: NEW Severity: Minor Priority: P5 - None Component: Kernel AssignedTo: jeffm@novell.com ReportedBy: trenn@novell.com QAContact: qa@suse.de Found By: Development Blocker: --- I run into this when trying to run our auto-installation on 11.4. It's an ugly script trying to mount all partitions from /proc/partitions unconditionally: ------------ DISKS=$(cat /proc/partitions | awk '{print $4}' | \ grep -v name | grep -v '^$' | grep -v loop | grep '[0-9]') ROOT=$(mount | grep ' / ' | cut -d ' ' -f 1) for partition in ${DISKS} ; do partition=/dev/${partition} if [ -b ${partition} ] && [ ${partition} != ${ROOT} ] ; then if mount -v ${partition} /mnt ; then if [ -f /etc/SuSE-release ] && [ -f /mnt/etc/motd ] ; then replace_motd /mnt/etc/motd fi umount /mnt &> /dev/null fi sleep 1 fi done ------------ The crash happens when trying to mount /dev/sda3 (Extended Partition) with reiserfs. Other tries like vfat, due to no -t option given survive: mount -v /dev/sda3 /mnt mount: you didn't specify a filesystem type for /dev/sda3 I will try all types mentioned in /etc/filesystems or /proc/filesystems Trying vfat Trying hfs Trying minix Trying reiserfs -> crash So I can reproduce the issue doing: mount -t reiserfs /dev/sda3 /mnt fdisk -l /dev/sda .. /dev/sda3 4289355 976768064 486239355 85 Linux extended /dev/sda5 4289418 23856461 9783522 83 Linux .. I can workaround the issue and clean up the script. Still I thought it's worth reporting, the crash does not happen on SLES 11 SP1. Unfortunately there is no backtrace in the serial logs, a kdump kernel gets booted, but on the machine I tested kdump does not work as expected, possibly due to IOMMU being used (bug#668872). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=668878 https://bugzilla.novell.com/show_bug.cgi?id=668878#c1 --- Comment #1 from Jeff Mahoney <jeffm@novell.com> 2011-02-02 14:22:57 UTC --- Ok, I can reproduce that. [511899.519574] attempt to access beyond end of device [511899.519580] sda2: rw=0, want=18, limit=2 [511899.519588] REISERFS warning (device sda2): sh-2006 read_super_block: bread failed (dev sda2, block 8, size 1024) [511899.519595] attempt to access beyond end of device [511899.519598] sda2: rw=0, want=130, limit=2 [511899.519601] REISERFS warning (device sda2): sh-2006 read_super_block: bread failed (dev sda2, block 64, size 1024) [511899.519606] REISERFS warning (device sda2): sh-2021 reiserfs_fill_super: can not find reiserfs on sda2 [511899.519625] BUG: unable to handle kernel NULL pointer dereference at 00000000000000f8 [511899.520497] IP: [<ffffffffa0305b5c>] reiserfs_kill_sb+0x1c/0xf0 [reiserfs] [511899.520497] PGD 0 [511899.520497] Oops: 0000 [#1] PREEMPT SMP [511899.520497] last sysfs file: /sys/devices/system/cpu/cpu15/cache/index2/shared_cpu_map [511899.520497] CPU 9 [511899.520497] Modules linked in: reiserfs nfs lockd fscache nfs_acl auth_rpcgss sunrpc autofs4 edd af_packet cpufreq_conservative cpufreq_userspace cpufreq_powersave powernow_k8 mperf dm_mod amd64_edac_mod igb edac_core sg i2c_piix4 dca button edac_mce_amd kvm_amd ghes k10temp kvm serio_raw pcspkr hed ext4 jbd2 crc16 fan processor thermal thermal_sys ata_generic pata_atiixp [511899.520497] [511899.520497] Pid: 10612, comm: mount Not tainted 2.6.37-18-desktop #1 /ProLiant DL165 G7 [511899.520497] RIP: 0010:[<ffffffffa0305b5c>] [<ffffffffa0305b5c>] reiserfs_kill_sb+0x1c/0xf0 [reiserfs] [511899.520497] RSP: 0018:ffff880236733d98 EFLAGS: 00010292 [511899.520497] RAX: 0000000000000000 RBX: ffff880437012000 RCX: 00000000000029ac [511899.520497] RDX: 0000000000000012 RSI: 0000000000000003 RDI: ffff880437012000 [511899.520497] RBP: ffff880437012000 R08: 0000000000012fbc R09: 0000000000000000 [511899.520497] R10: 0000000000000000 R11: dead000000200200 R12: 0000000000000003 [511899.520497] R13: ffff8802375ac6c0 R14: ffff8802375ac780 R15: ffffffffa0308a60 [511899.520497] FS: 00007f1ed1e2a7e0(0000) GS:ffff88043fc40000(0000) knlGS:0000000000000000 [511899.520497] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [511899.520497] CR2: 00000000000000f8 CR3: 0000000436cd0000 CR4: 00000000000006e0 [511899.520497] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [511899.520497] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [511899.520497] Process mount (pid: 10612, threadinfo ffff880236732000, task ffff880236d3a380) [511899.520497] Stack: [511899.520497] ffff880437012000 ffffffffa032b9c0 0000000000000003 ffffffff81154133 [511899.520497] ffff8802375ac6c0 0000000000000000 ffff880437012000 ffffffff81154c89 [511899.520497] 00000000ffffffea 0000000000000000 ffff880032616473 ffff880436676d60 [511899.520497] Call Trace: [511899.520497] [<ffffffff81154133>] deactivate_locked_super+0x43/0x70 [511899.520497] [<ffffffff81154c89>] mount_bdev+0x1c9/0x1f0 [511899.520497] [<ffffffff811543a9>] vfs_kern_mount+0x89/0x250 [511899.520497] [<ffffffff811545e3>] do_kern_mount+0x53/0x130 [511899.520497] [<ffffffff8116fc52>] do_mount+0x1e2/0x210 [511899.520497] [<ffffffff8116fd6a>] sys_mount+0x9a/0xf0 [511899.520497] [<ffffffff8100300b>] system_call_fastpath+0x16/0x1b [511899.520497] [<00007f1ed1327baa>] 0x7f1ed1327baa [511899.520497] Code: 08 5b 5d 41 5c 41 5d e9 c3 ce e3 e0 90 90 90 48 83 ec 18 48 89 6c 24 08 48 89 1c 24 48 89 fd 4c 89 64 24 10 48 8b 87 78 02 00 00 <48> 8b 98 f8 00 00 00 48 85 db 0f 84 9b 00 00 00 4c 8d 63 08 48 [511899.520497] RIP [<ffffffffa0305b5c>] reiserfs_kill_sb+0x1c/0xf0 [reiserfs] [511899.520497] RSP <ffff880236733d98> [511899.520497] CR2: 00000000000000f8 [511900.673310] ---[ end trace 4438c8453206a9a2 ]--- -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=668878 https://bugzilla.novell.com/show_bug.cgi?id=668878#c2 Jeff Mahoney <jeffm@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #2 from Jeff Mahoney <jeffm@novell.com> 2011-02-02 15:01:53 UTC --- Ok, this detach_privroot() assuming that sb->s_fs_info is still valid. reiserfs_fill_super() frees and sets it to NULL during the error path. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=668878 https://bugzilla.novell.com/show_bug.cgi?id=668878#c3 --- Comment #3 from Jeff Mahoney <jeffm@novell.com> 2011-02-02 15:02:05 UTC --- Ok, this is detach_privroot() assuming that sb->s_fs_info is still valid. reiserfs_fill_super() frees and sets it to NULL during the error path. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=668878 https://bugzilla.novell.com/show_bug.cgi?id=668878#c4 --- Comment #4 from Thomas Renninger <trenn@novell.com> 2011-02-11 20:19:53 UTC --- Any chance there will be a fix for 11.4 still? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=668878 https://bugzilla.novell.com/show_bug.cgi?id=668878#c5 Tamas Visegrady <tamas.visegrady@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |tamas.visegrady@gmail.com --- Comment #5 from Tamas Visegrady <tamas.visegrady@gmail.com> 2011-02-13 15:52:09 UTC --- Just ran into this after running "-t auto" mount on an all-zeroes USB stick by accident. Identical dump with 2.6.37-20-desktop. The error path in reiserfs_fill_super() indeed sets s_fs_info to NULL, but there's a non-NULL check in reiserfs_kill_sb() before using s->s_fs_info. However, doesn't reiserfs_kill_sb+0x1c dereference the superblock pointer *s at +0x1c? --------------------- static void reiserfs_kill_sb(struct super_block *s) { if (REISERFS_SB(s)) { // s->s_fs_info if (REISERFS_SB(s)->xattr_root) { // s->s_fs_info->xattr... d_invalidate(REISERFS_SB(s)->xattr_root); .. --------------------- 0000000000011b40 <reiserfs_kill_sb>: reiserfs_kill_sb(): 11b40: 48 83 ec 18 sub $0x18,%rsp 11b44: 48 89 6c 24 08 mov %rbp,0x8(%rsp) 11b49: 48 89 1c 24 mov %rbx,(%rsp) 11b4d: 48 89 fd mov %rdi,%rbp 11b50: 4c 89 64 24 10 mov %r12,0x10(%rsp) // s 11b55: 48 8b 87 78 02 00 00 mov 0x278(%rdi),%rax // s->s_fs_info 11b5c: 48 8b 98 f8 00 00 00 mov 0xf8(%rax),%rbx (cf.NULL pointer dereference at ...000000f8 ^^^^) 11b63: 48 85 db test %rbx,%rbx 11b66: 0f 84 9b 00 00 00 je 11c07 <reiserfs_kill_sb+0xc7> 11b6c: 4c 8d 63 08 lea 0x8(%rbx),%r12 11b70: 48 c7 c7 00 00 00 00 mov $0x0,%rdi 11b73: R_X86_64_32S dcache_lock --------------------- reiserfs_fill_super() is called from mount_bdev() before deactivate_locked_super() calls back to reiserfs_kill_sb(): --------------------- (mount_bdev()) .. error = fill_super(s, data, flags & MS_SILENT ? 1 : 0); if (error) { deactivate_locked_super(s); .. --------------------- void deactivate_locked_super(struct super_block *s) .. if (atomic_dec_and_test(&s->s_active)) { fs->kill_sb(s); .. --------------------- -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=668878 https://bugzilla.novell.com/show_bug.cgi?id=668878#c6 Jeff Mahoney <jeffm@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #6 from Jeff Mahoney <jeffm@novell.com> 2011-02-14 01:26:05 UTC --- Strange. I thought I already updated and closed this bug. commit de24d15aabcbdbaace7e4932969cc4b06c581806 Author: Jeff Mahoney <jeffm@suse.com> Date: Wed Feb 2 11:34:01 2011 -0500 - patches.fixes/reiserfs-xattr-crash-fix: fix crash during failed mount (bnc#668878) The kernel in the 11.4 repo needs refreshing. I issued an SR the other day. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com