Bug 874407

Summary: btrfs: BUG: unable to handle kernel NULL pointer dereference at 000000000000003f
Product: [Fedora] Fedora Reporter: Ken Tobias <kentobias>
Component: kernelAssignee: Zach Brown <zab>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: gansalmon, itamar, jonathan, kernel-maint, madhu.chinakonda, sweil
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:c4b1cc5b169c49490233caf895c13aba4707d8a7
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-06 22:52:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ken Tobias 2012-11-08 06:11:28 UTC 
Additional info:
libreport version: 2.0.18
abrt_version:   2.0.18
cmdline:        BOOT_IMAGE=/vmlinuz-3.6.5-1.fc17.x86_64 root=UUID=3d131530-ad80-43f5-8c8b-1aacf8f4e047 ro rd.md=0 rd.lvm=0 rd.dm=0 SYSFONT=True KEYTABLE=us rd.luks=0 LANG=en_US.UTF-8 rhgb quiet
kernel:         3.6.5-1.fc17.x86_64

backtrace:
:BUG: unable to handle kernel NULL pointer dereference at 000000000000003f
:IP: [<ffffffffa05bbca6>] free_extent_map+0x16/0x70 [btrfs]
:PGD 64ce067 PUD 64cf067 PMD 0 
:Oops: 0000 [#1] SMP 
:Modules linked in: hid_logitech_dj xfs btrfs libcrc32c zlib_deflate tcp_diag inet_diag ts_bm xt_string fuse lockd sunrpc tun bnep 8021q bluetooth garp stp llc nf_conntrack_netbios_ns nf_conntrack_broadcast ip6t_REJECT nf_conntrack_ipv6 ipt_MASQUERADE iptable_nat nf_defrag_ipv6 nf_nat nf_conntrack_ipv4 xt_state nf_defrag_ipv4 nf_conntrack ip6table_filter ip6_tables snd_hda_codec_hdmi snd_hda_codec_realtek kvm_amd kvm snd_hda_intel snd_hda_codec snd_hwdep arc4 rt2800pci rt2800lib edac_core snd_seq snd_seq_device snd_pcm forcedeth rt2x00pci rt2x00lib eeprom_93cx6 mac80211 edac_mce_amd shpchp i2c_nforce2 microcode k10temp snd_page_alloc snd_timer snd soundcore cfg80211 rfkill crc_ccitt serio_raw uinput ata_generic pata_acpi usb_storage pata_amd nouveau mxm_wmi wmi video i2c_algo_bit drm_kms_helper ttm drm i2c_core
:CPU 0 
:Pid: 11216, comm: rsync Not tainted 3.6.5-1.fc17.x86_64 #1 eMachines ER1401/ER1401
:RIP: 0010:[<ffffffffa05bbca6>]  [<ffffffffa05bbca6>] free_extent_map+0x16/0x70 [btrfs]
:RSP: 0018:ffff8800079bbc18  EFLAGS: 00010282
:RAX: ffffffffffffffef RBX: ffffffffffffffef RCX: 00000000009f70a1
:RDX: 00000000009f70a0 RSI: ffff88001c1dc7e0 RDI: ffffffffffffffef
:RBP: ffff8800079bbc28 R08: 000060ff90000da0 R09: 00000000ffffffef
:R10: 00000000ffffffef R11: 0000000000000000 R12: ffff8800095ca768
:R13: 0000000410a7d000 R14: 0000000410a5e000 R15: ffffffffffffffef
:FS:  00007f03f8128740(0000) GS:ffff88006fc00000(0000) knlGS:0000000000000000
:CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
:CR2: 000000000000003f CR3: 00000000064cd000 CR4: 00000000000007f0
:DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
:DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
:Process rsync (pid: 11216, threadinfo ffff8800079ba000, task ffff880007b9ae20)
:Stack:
: 0000000410a5e000 0000000410a5e000 ffff8800079bbcf8 ffffffffa05b4199
: ffff8800079bbc68 ffffffffa05b5942 ffff88000000000e ffff8800079bbcc8
: ffff88003791b980 ffff8800095ca768 ffff8800079bbc98 ffffffffffffffef
:Call Trace:
: [<ffffffffa05b4199>] btrfs_cont_expand+0x279/0x320 [btrfs]
: [<ffffffffa05b5942>] ? btrfs_update_time+0x62/0xd0 [btrfs]
: [<ffffffffa05b9edd>] btrfs_file_aio_write+0x28d/0x4a0 [btrfs]
: [<ffffffff8118e807>] do_sync_write+0xa7/0xe0
: [<ffffffff8118f08c>] vfs_write+0xac/0x180
: [<ffffffff8118f3ba>] sys_write+0x4a/0x90
: [<ffffffff81625829>] system_call_fastpath+0x16/0x1b
:Code: 00 00 00 c7 40 58 00 00 00 00 c7 40 50 01 00 00 00 5d c3 66 90 55 48 89 e5 53 48 83 ec 08 66 66 66 66 90 48 85 ff 48 89 fb 74 28 <8b> 47 50 85 c0 74 28 f0 ff 4b 50 0f 94 c0 84 c0 74 16 8b 43 54 
:RIP  [<ffffffffa05bbca6>] free_extent_map+0x16/0x70 [btrfs]
: RSP <ffff8800079bbc18>
:CR2: 000000000000003f
Comment 1 Zach Brown 2013-01-03 21:23:00 UTC 
This oops comes from buggy error handling in btrfs_cont_expand().

> :BUG: unable to handle kernel NULL pointer dereference at 000000000000003f
> :IP: [<ffffffffa05bbca6>] free_extent_map+0x16/0x70 [btrfs]

>    41ca6:       8b 47 50                mov    0x50(%rdi),%eax

> :RDX: 00000000009f70a0 RSI: ffff88001c1dc7e0 RDI: ffffffffffffffef

> (gdb) print/x 0xffffffffffffffef + 0x50
> $2 = 0x3f

> (gdb) print (long)0xffffffffffffffef
> $4 = -17

> /usr/include/asm-generic/errno-base.h:#define   EEXIST          17

>         while (1) {
>                 em = btrfs_get_extent(inode, NULL, 0, cur_offset,
>                                 block_end - cur_offset, 0);
>                 if (IS_ERR(em)) {
>                         err = PTR_ERR(em);
>                         break;
>                 }
>                 [ ... ]
>         }
> 
>         free_extent_map(em);

> void free_extent_map(struct extent_map *em)
> {
>         if (!em)
>                 return;
>         WARN_ON(atomic_read(&em->refs) == 0);

So any errors from btrfs_get_extent() in btrfs_cont_expand() will trigger this oops.

The bug is still present upstream in mainline.  I'll get it fixed.
Comment 2 Zach Brown 2013-02-06 22:52:46 UTC 
This has been applied upstream and was first available in v3.8-rc5.

commit f276795627045a3c599a60b476767861e4318c7d
Author: Zach Brown <zab>
Date:   Tue Jan 8 19:37:58 2013 +0000

    btrfs: fix btrfs_cont_expand() freeing IS_ERR em
    
$ git tag --contains f276795627045a3c599a60b476767861e4318c7d
v3.8-rc5

So the fix will be available in F17 if the kernel package rebases to a 3.8 kernel, probably around a 3.8.1 stable kernel release.