Bug 889471
| Summary: | [Btrfs] BUG: unable to handle kernel NULL pointer dereference at (null) btrfs_get_sb should return error when open_ctree failed | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Rock Lee <xinli> | ||||
| Component: | kernel | Assignee: | Eric Sandeen <esandeen> | ||||
| Status: | CLOSED ERRATA | QA Contact: | dhe | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 6.4 | CC: | eguan, esandeen, kzhang, linn, peterm, plambri, rwheeler, sreekanth_reddy, srinivas_g_gowda, tgummels | ||||
| Target Milestone: | rc | Keywords: | Regression | ||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | kernel-2.6.32-471.el6 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2014-10-14 05:13:42 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1024339 | ||||||
| Attachments: |
|
||||||
This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux. 6.3 GA kernel has no problem, set Regression keyword, found this when testing degraded mount feature Steps to reproduce: # setup two loop devices, say /dev/loop0 and /dev/loop1 mkfs.btrfs /dev/loop0 /dev/loop1 # mount loop0 should work mount /dev/loop0 /mnt/btrfs # Remove loop1 umount /mnt/btrfs losetup -d /dev/loop1 # mount loop0 again, this should fail, but panic mount /dev/loop0 /mnt/btrfs # If no panic, then mount with degraded option should work mount -o degraded /dev/loop0 /mnt/btrfs *** Bug 1093415 has been marked as a duplicate of this bug. *** *** Bug 1093415 has been marked as a duplicate of this bug. *** Created attachment 892050 [details]
Full oops
From the other BZ, it's worth noting that this is easily producible if someone has RHEL7 with a btrfs file system and then wants to re-install the system with RHEL6.5. It will crash during Anaconda and it won't necessarily be obvious why. To recreate: 1) Install RHEL7 2) Create a btrfs file system. I also created a file in the file system. 3) Shut the system down 4) Attempt to install RHEL6.5. Choose basic storage. When Anaconda examines the storage, the system will panic. It doesn't have to be a broken btrfs file system. This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release. Patch(es) available on kernel-2.6.32-471.el6 *** Bug 1110173 has been marked as a duplicate of this bug. *** Hi, Can we have a KBase for this known behavior with RHEL 6.5 Please let us know *** Bug 920537 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2014-1392.html |
Description of problem: When trying to mount a broken btrfs filesystem. Got kernel NULL pointer dereference. Which caused the function open_ctree failed, open_ctree was called by btrfs_fill_super. btrfs_get_sb doesn't return error when this situation happens. Please see this snippet codes: ------------------------[CUT HERE]--------------------------------------- error = btrfs_fill_super(s, fs_devices, data, flags & MS_SILENT ? 1 : 0); } root = !error ? get_default_root(s, subvol_objectid) : ERR_PTR(error); if (IS_ERR(root)) deactivate_locked_super(s); ^^^^^^^^^^^^^^^^^^^^^^HERE SHOULD RETURN ERROR^^^^^^^^^^^^^^^^^^^ mnt->mnt_sb = s; mnt->mnt_root = root; return 0; ------------------------[CUT HERE]---------------------------------------- The latest upstream had fixed this problem. http://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=blob;f=fs/btrfs/super.c;h=915ac14c20642ec619ec159d90d0fbed2a02b0da;hb=HEAD 1145 root = !error ? get_default_root(s, subvol_objectid) : ERR_PTR(error); 1146 if (IS_ERR(root)) 1147 deactivate_locked_super(s); 1148 1149 return root; --------------------------------------------------------------DETAIL LOG-------------------------------------------------------- btrfs: open_ctree failed BUG: unable to handle kernel NULL pointer dereference at (null) IP: [<ffffffff81229ddf>] selinux_set_mnt_opts+0x3f/0x580 PGD 0 Oops: 0000 [#1] SMP last sysfs file: /sys/devices/virtual/block/loop0/dev CPU 0 Modules linked in: btrfs(T) zlib_deflate lzo_decompress lzo_compress libcrc32c sunrpc ipv6 power_meter hpilo hpwdt bnx2 microcode serio_raw fam15h_power k10temp amd64_edac_mod edac_core edac_mce_amd sg i2c_piix4 shpchp ext4 mbcache jbd2 sd_mod crc_t10dif sr_mod cdrom hpsa ata_generic pata_acpi pata_atiixp ahci radeon ttm drm_kms_helper drm i2c_algo_bit i2c_core dm_mirror dm_region_hash dm_log dm_mod [last unloaded: mperf] Pid: 2661, comm: mount Tainted: G --------------- T 2.6.32-348.el6.x86_64 #1 HP ProLiant DL385 G7 RIP: 0010:[<ffffffff81229ddf>] [<ffffffff81229ddf>] selinux_set_mnt_opts+0x3f/0x580 RSP: 0018:ffff880438fffc58 EFLAGS: 00010292 RAX: ffffffffa045dab3 RBX: ffff880438fffce8 RCX: ffff880439a41400 RDX: 0000000000000000 RSI: ffff880438fffce8 RDI: ffff880439a41400 RBP: ffff880438fffcd8 R08: 0000000000000000 R09: 0000000000000013 R10: 000000000000000e R11: fffff000ffffffc0 R12: ffff880439a41400 R13: 0000000000000000 R14: ffff880439a41400 R15: 0000000000000000 FS: 00007f3b0e87b7e0(0000) GS:ffff880028200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000043a3c9000 CR4: 00000000000407f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process mount (pid: 2661, threadinfo ffff880438ffe000, task ffff88043973b540) Stack: ffff880438f639a0 ffff880438f63bd0 ffffffffa045dab3 ffff8802b959e6c0 <d> ffff880438f63530 ffff88043981c3c0 ffff880439a41400 ffff880438f63000 <d> 0000000000000000 ffff880439a41400 ffff880438fffcc8 ffff880438fffce8 Call Trace: [<ffffffff8122a381>] superblock_doinit+0x61/0xd0 [<ffffffff8118353e>] ? deactivate_locked_super+0x5e/0x90 [<ffffffff8122a439>] selinux_sb_kern_mount+0x49/0xd0 [<ffffffff8121b526>] security_sb_kern_mount+0x16/0x20 [<ffffffff8118360b>] vfs_kern_mount+0x9b/0x1b0 [<ffffffff81183792>] do_kern_mount+0x52/0x130 [<ffffffff811a38a2>] do_mount+0x2d2/0x8d0 [<ffffffff81139d84>] ? strndup_user+0x64/0xc0 [<ffffffff811a3f30>] sys_mount+0x90/0xe0 [<ffffffff8100b072>] system_call_fastpath+0x16/0x1b Code: 00 00 65 48 8b 04 25 c0 cb 00 00 48 8b 80 48 06 00 00 49 89 fe 48 89 45 98 48 8b 47 30 4c 8b af c0 00 00 00 48 8b 00 48 89 45 90 <49> 8b 45 00 48 8b 40 68 48 8b 40 10 48 8b 80 30 02 00 00 48 89 RIP [<ffffffff81229ddf>] selinux_set_mnt_opts+0x3f/0x580 RSP <ffff880438fffc58> CR2: 0000000000000000 Version-Release number of selected component (if applicable): kernel: 2.6.32-348.el6.x86_64 btrfs-progs: btrfs-progs-0.20-0.2.git91d9eec.el6.x86_64 How reproducible: Sometimes Steps to Reproduce: 1. Mount a broken btrfs filesystem 2. 3. Actual results: kernel NULL pointer dereference Expected results: no kernel NULL pointer dereference Additional info: