Bug 1783075
Summary: | bcache: overflow in stripe number calculations for devices with small io_opt | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Ken Raeburn <raeburn> | ||||
Component: | kernel | Assignee: | Kernel Maintainer List <kernel-maint> | ||||
Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 32 | CC: | airlied, bskeggs, hdegoede, ichavero, itamar, jarodwilson, jeremy, jglisse, john.j5live, jonathan, josef, kernel-maint, linville, masami256, mchehab, mjg59, steved | ||||
Target Milestone: | --- | Keywords: | Reopened | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2021-05-25 15:13:46 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Ken Raeburn
2019-12-12 23:45:12 UTC
*********** MASS BUG UPDATE ************** We apologize for the inconvenience. There are a large number of bugs to go through and several of them have gone stale. Due to this, we are doing a mass bug update across all of the Fedora 31 kernel bugs. Fedora 31 has now been rebased to 5.5.7-200.fc31. Please test this kernel update (or newer) and let us know if you issue has been resolved or if it is still present with the newer kernel. If you have moved on to Fedora 32, and are still experiencing this issue, please change the version to Fedora 32. If you experience different issues, please open a new bug report for those. *********** MASS BUG UPDATE ************** This bug is being closed with INSUFFICIENT_DATA as there has not been a response in 3 weeks. If you are still experiencing this issue, please reopen and attach the relevant data from the latest kernel you are running and any data that might have been requested previously. I rebuilt my Fedora 31 test VM and got kernel 5.5.11-200. The failure with the 9 TB volume is the same. With the 17 TB volume, I can create the cache. Writing to it didn't produce the BUG failure in my first few attempts, but it didn't always happen with the 5.3.15-300 kernel either, so I can't say for certain whether that part has been fixed. My systemtap one-liner had to be made a bit more complicated due to the restructuring of the bcache read path: probe module("bcache").function("cached_dev_read_done_bh") { disk = @container_of($cl, "struct search", cl)->d; printf("stripe_size %u nr_stripes %u\n", @cast(disk, "struct bcache_device", "bcache")->stripe_size, @cast(disk, "struct bcache_device", "bcache")->nr_stripes); exit(); } ...but it still confirms that the number of stripes gets truncated for the 17 TB volume. Ah, yes... it helps to force the bcache device to have partial_stripes_expensive=1; without a handy configuration where it could be inherited from q->limits.raid_partial_stripes_expensive, I took the sledgehammer approach:
# run under systemtap and then read a block
probe module("bcache").function("cached_dev_read_done_bh")
{
dc = &@container_of(@container_of($cl, "struct search", cl)->d,
"struct cached_dev", disk);
@cast(dc,"struct cached_dev","bcache")->partial_stripes_expensive = 1;
exit();
}
Then if writeback mode is enabled and other conditions are met, bcache_dev_stripe_dirty can be called when writing a block to a well chosen offset, and may, if you're lucky, hit an unmapped address and trigger the fault again.
$ dd if=/dev/urandom bs=4096 count=1 of=/dev/bcache0 seek=1073741824
...
kernel: BUG: unable to handle page fault for address: ffff9f96fcf1d008
kernel: #PF: supervisor read access in kernel mode
kernel: #PF: error_code(0x0000) - not-present page
kernel: PGD 1ff994b067 P4D 1ff994b067 PUD 0
kernel: Oops: 0000 [#1] SMP PTI
kernel: CPU: 3 PID: 5296 Comm: dd Kdump: loaded Tainted: P OE 5.5.11-200.fc31.x86_64 #1
kernel: Hardware name: Supermicro X9SRE/X9SRE-3F/X9SRi/X9SRi-3F/X9SRE/X9SRE-3F/X9SRi/X9SRi-3F, BIOS 3.2 01/16/2015
kernel: RIP: 0010:cached_dev_make_request+0x8b0/0xdf0 [bcache]
kernel: Code: 00 00 45 8b be 9c 00 00 00 48 8b 46 20 31 d2 8b 7e 28 49 f7 f7 4d 89 fa 4d 8b be a0 00 00 00 c1 ef 09 89 c2 89 c0 49 8d 04 87 <8b> 00 85 c0 75 26 44 39 d7 77 0e e9 c4 03 00 00 41 39 fa 0f 83 bb
kernel: RSP: 0018:ffff9f95ea48f9c0 EFLAGS: 00010202
kernel: RAX: ffff9f96fcf1d008 RBX: ffff8e9c0af10000 RCX: 0000000000000000
kernel: RDX: 0000000040000002 RSI: ffff8e9b6f4b90c0 RDI: 0000000000000008
kernel: RBP: ffff8e9b7d148000 R08: 000000000000002a R09: 0000000000000801
kernel: R10: 0000000000000008 R11: 0000000000000801 R12: ffff8e9b7d148128
kernel: R13: ffff8e9b7d148050 R14: ffff8e9c0af10010 R15: ffff9f95fcf1d000
kernel: FS: 00007f49f4d99580(0000) GS:ffff8e9c7fcc0000(0000) knlGS:0000000000000000
kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
kernel: CR2: ffff9f96fcf1d008 CR3: 0000001ecb27c005 CR4: 00000000001606e0
kernel: Call Trace:
kernel: ? recalibrate_cpu_khz+0x10/0x10
kernel: ? ktime_get+0x38/0x90
kernel: ? generic_make_request_checks+0x2f7/0x5f0
kernel: generic_make_request+0xcf/0x320
kernel: submit_bio+0x42/0x1c0
[...]
Looking at the stack trace ("cached_dev_make_request+0x8b0") and a kernel module disassembly with debug info, it appears to confirm that the fault is at line 50 of writeback.h, performing the atomic_read with a bogus address outside the range of the allocated stripe_sectors_dirty array, because stripe is bigger than nr_stripes:
while (1) {
>>> if (atomic_read(dc->disk.stripe_sectors_dirty + stripe))
return true;
This should also be possible to set up with an actual raid5 configuration.
Looking at the 5.3.15 sources, the test of partial_stripes_expensive was present there too, and I'm pretty sure my earlier test on a virtual machine didn't use raid5...so I'm not quite sure how it got triggered before...
This message is a reminder that Fedora 31 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 31 on 2020-11-24. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '31'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 31 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. Coly Li made a couple changes to address this problem back in July; they were incorporated in Linus's tree in the 5.9 release. By inspection, it seems clear that 5.8.18-200.fc32 has not added any patches to address the problems. This message is a reminder that Fedora 32 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 32 on 2021-05-25. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '32'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 32 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. Fedora 32 changed to end-of-life (EOL) status on 2021-05-25. Fedora 32 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. |