Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 253921 - GFS2: NULL superblock pointer causes panic after bad mount option
GFS2: NULL superblock pointer causes panic after bad mount option
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Don Zickus
Dean Jansa
Depends On: 253289
  Show dependency treegraph
Reported: 2007-08-22 18:05 EDT by Abhijith Das
Modified: 2007-11-30 17:07 EST (History)
5 users (show)

See Also:
Fixed In Version: RHBA-2007-0959
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-11-07 15:00:54 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
check for NULL sdp in gfs2_kill_sb (438 bytes, patch)
2007-08-22 18:18 EDT, Abhijith Das
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2007:0959 normal SHIPPED_LIVE Updated kernel packages for Red Hat Enterprise Linux 5 Update 1 2007-11-07 19:47:37 EST

  None (edit)
Comment 1 Nate Straz 2007-08-22 18:10:45 EDT
I was able to reproduce this on -42.el5.

GFS2: can't parse mount arguments
BUG: unable to handle kernel NULL pointer dereference at virtual address 0000062c
 printing eip:
*pde = e6e55067
Oops: 0002 [#1]
last sysfs file: /fs/gfs2/morph-cluster:morph-cluster8/lock_module/block
Modules linked in: gnbd(U) lock_nolock gfs(U) lock_dlm gfs2 dlm configfs autofs4
hidp rfcomm l2cap bluetooth sunrpc ipv6 dm_multipath video sbs backlight i2c_ec
button battery asus_acpi ac lp parport_pc i2c_i801 floppy parport ide_cd
intel_rng i2c_core e7xxx_edac sg cdrom edac_mc e1000 pcspkr dm_snapshot dm_zero
dm_mirror dm_mod qla2xxx scsi_transport_fc ata_piix libata sd_mod scsi_mod ext3
jbd ehci_hcd ohci_hcd uhci_hcd
CPU:    1
EIP:    0060:[<c0438933>]    Not tainted VLI
EFLAGS: 00010246   (2.6.18-42.el5 #1) 
EIP is at down_write+0xf/0x19
eax: 0000062c   ebx: 0000062c   ecx: f7aa1740   edx: ffff0001
esi: 00000000   edi: 0000062c   ebp: f6099280   esp: ea845d60
ds: 007b   es: 007b   ss: 0068
Process mount.gfs2 (pid: 6315, ti=ea845000 task=f7529550 task.ti=ea845000)
Stack: 00000000 f8d34b34 c327e23c f8d55060 00000000 f8d55060 c327e200 f6099280 
       f8d34de3 c327e200 f8d39cbd c327e200 c047574b ffffffea 00000000 c0475d2b 
       332d6d64 f7850600 c0678c80 000080d0 c0678c80 f7529550 c0458d4e 00000044 
Call Trace:
 [<f8d34b34>] gfs2_log_flush+0x18/0x2bd [gfs2]
 [<f8d34de3>] gfs2_meta_syncfs+0xa/0x31 [gfs2]
 [<f8d39cbd>] gfs2_kill_sb+0x19/0x21 [gfs2]
 [<c047574b>] deactivate_super+0x52/0x65
 [<c0475d2b>] get_sb_bdev+0xdb/0x110
 [<c0458d4e>] __alloc_pages+0x57/0x282
 [<f8d39cd9>] gfs2_get_sb+0x14/0x30 [gfs2]
 [<f8d3a945>] fill_super+0x0/0x51a [gfs2]
 [<c04757db>] vfs_kern_mount+0x7d/0xf2
 [<c0475882>] do_kern_mount+0x25/0x36
 [<c04883c2>] do_mount+0x5d6/0x646
 [<c0436025>] autoremove_wake_function+0x0/0x2d
 [<c05a2fd8>] do_sock_read+0xae/0xb7
 [<c05a356b>] sock_aio_read+0x53/0x61
 [<c0458a7d>] get_page_from_freelist+0x96/0x310
 [<c0487357>] copy_mount_options+0xaa/0x109
 [<c048849f>] sys_mount+0x6d/0xa5
 [<c0404eff>] syscall_call+0x7/0xb
Code: 0f c1 10 78 41 c3 ba ff ff 00 00 f0 0f c1 10 75 42 c3 f0 81 00 00 00 01 00
78 45 c3 53 89 c3 e8 02 b7 1c 00 ba 01 00 ff ff 89 d8 <f0> 0f c1 10 85 d2 75 38
5b c3 53 89 c3 e8 e9 b6 1c 00 89 d8 f0 
EIP: [<c0438933>] down_write+0xf/0x19 SS:ESP 0068:ea845d60
 <0>Kernel panic - not syncing: Fatal exception
Comment 2 Abhijith Das 2007-08-22 18:18:19 EDT
Created attachment 164441 [details]
check for NULL sdp in gfs2_kill_sb

This patch should fix the problem. Basically, when you try to mount gfs2 with
-o garbage, the mount fails and the gfs2 superblock is deallocated and becomes
NULL. The vfs comes around later on and calls gfs2_kill_sb. At this point the
hidden gfs2 superblock pointer (sb->s_fs_info) is NULL and dereferencing it
through gfs2_meta_syncfs causes the panic. (the other function call to
gfs2_delete_debugfs_file() succeeds because this function already checks for a
NULL pointer)
Comment 3 Nate Straz 2007-08-23 11:53:18 EDT
Tested and verified against kernel-2.6.18-43.gfs2abhi.001.
Comment 4 Abhijith Das 2007-08-24 09:21:22 EDT
Changing summary so that it's not confused with other bug #253289
Comment 5 Abhijith Das 2007-08-24 09:24:44 EDT
Posted fix to rhkernel-list:
Comment 6 Don Zickus 2007-08-28 18:33:57 EDT
in 2.6.18-44.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5
Comment 9 errata-xmlrpc 2007-11-07 15:00:54 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.