Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 889471 - [Btrfs] BUG: unable to handle kernel NULL pointer dereference at (null) btrfs_get_sb should return error when open_ctree failed
Summary: [Btrfs] BUG: unable to handle kernel NULL pointer dereference at (null) btrf...
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: kernel
Version: 6.4
Hardware: x86_64
OS: Linux
Target Milestone: rc
: ---
Assignee: Eric Sandeen
QA Contact: dhe
: 920537 1093415 1110173 (view as bug list)
Depends On:
Blocks: 1024339
TreeView+ depends on / blocked
Reported: 2012-12-21 10:31 UTC by Rock Lee
Modified: 2014-10-14 05:13 UTC (History)
10 users (show)

Fixed In Version: kernel-2.6.32-471.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-10-14 05:13:42 UTC
Target Upstream Version:

Attachments (Terms of Use)
Full oops (3.06 KB, text/plain)
2014-05-02 22:38 UTC, Eric Sandeen
no flags Details

System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 1123683 0 None None None Never
Red Hat Product Errata RHSA-2014:1392 0 normal SHIPPED_LIVE Important: kernel security, bug fix, and enhancement update 2014-10-14 01:28:44 UTC

Description Rock Lee 2012-12-21 10:31:52 UTC
Description of problem:

When trying to mount a broken btrfs filesystem. Got kernel NULL pointer dereference.

Which caused the function open_ctree failed, open_ctree was called by btrfs_fill_super.

btrfs_get_sb doesn't return error when this situation happens. 

Please see this snippet codes:

------------------------[CUT HERE]---------------------------------------
		error = btrfs_fill_super(s, fs_devices, data,
					 flags & MS_SILENT ? 1 : 0);

	root = !error ? get_default_root(s, subvol_objectid) : ERR_PTR(error);
	if (IS_ERR(root))

        ^^^^^^^^^^^^^^^^^^^^^^HERE SHOULD RETURN ERROR^^^^^^^^^^^^^^^^^^^

	mnt->mnt_sb = s;
	mnt->mnt_root = root;

	return 0;
------------------------[CUT HERE]----------------------------------------

The latest upstream had fixed this problem. 


1145         root = !error ? get_default_root(s, subvol_objectid) : ERR_PTR(error);
1146         if (IS_ERR(root))
1147                 deactivate_locked_super(s);
1149         return root;

--------------------------------------------------------------DETAIL LOG--------------------------------------------------------
btrfs: open_ctree failed 
BUG: unable to handle kernel NULL pointer dereference at (null) 
IP: [<ffffffff81229ddf>] selinux_set_mnt_opts+0x3f/0x580 
PGD 0  
Oops: 0000 [#1] SMP  
last sysfs file: /sys/devices/virtual/block/loop0/dev 
CPU 0  
Modules linked in: btrfs(T) zlib_deflate lzo_decompress lzo_compress libcrc32c sunrpc ipv6 power_meter hpilo hpwdt bnx2 microcode serio_raw fam15h_power k10temp amd64_edac_mod edac_core edac_mce_amd sg i2c_piix4 shpchp ext4 mbcache jbd2 sd_mod crc_t10dif sr_mod cdrom hpsa ata_generic pata_acpi pata_atiixp ahci radeon ttm drm_kms_helper drm i2c_algo_bit i2c_core dm_mirror dm_region_hash dm_log dm_mod [last unloaded: mperf] 
Pid: 2661, comm: mount Tainted: G           ---------------  T 2.6.32-348.el6.x86_64 #1 HP ProLiant DL385 G7 
RIP: 0010:[<ffffffff81229ddf>]  [<ffffffff81229ddf>] selinux_set_mnt_opts+0x3f/0x580 
RSP: 0018:ffff880438fffc58  EFLAGS: 00010292 
RAX: ffffffffa045dab3 RBX: ffff880438fffce8 RCX: ffff880439a41400 
RDX: 0000000000000000 RSI: ffff880438fffce8 RDI: ffff880439a41400 
RBP: ffff880438fffcd8 R08: 0000000000000000 R09: 0000000000000013 
R10: 000000000000000e R11: fffff000ffffffc0 R12: ffff880439a41400 
R13: 0000000000000000 R14: ffff880439a41400 R15: 0000000000000000 
FS:  00007f3b0e87b7e0(0000) GS:ffff880028200000(0000) knlGS:0000000000000000 
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 
CR2: 0000000000000000 CR3: 000000043a3c9000 CR4: 00000000000407f0 
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 
Process mount (pid: 2661, threadinfo ffff880438ffe000, task ffff88043973b540) 
 ffff880438f639a0 ffff880438f63bd0 ffffffffa045dab3 ffff8802b959e6c0 
<d> ffff880438f63530 ffff88043981c3c0 ffff880439a41400 ffff880438f63000 
<d> 0000000000000000 ffff880439a41400 ffff880438fffcc8 ffff880438fffce8 
Call Trace: 
 [<ffffffff8122a381>] superblock_doinit+0x61/0xd0 
 [<ffffffff8118353e>] ? deactivate_locked_super+0x5e/0x90 
 [<ffffffff8122a439>] selinux_sb_kern_mount+0x49/0xd0 
 [<ffffffff8121b526>] security_sb_kern_mount+0x16/0x20 
 [<ffffffff8118360b>] vfs_kern_mount+0x9b/0x1b0 
 [<ffffffff81183792>] do_kern_mount+0x52/0x130 
 [<ffffffff811a38a2>] do_mount+0x2d2/0x8d0 
 [<ffffffff81139d84>] ? strndup_user+0x64/0xc0 
 [<ffffffff811a3f30>] sys_mount+0x90/0xe0 
 [<ffffffff8100b072>] system_call_fastpath+0x16/0x1b 
Code: 00 00 65 48 8b 04 25 c0 cb 00 00 48 8b 80 48 06 00 00 49 89 fe 48 89 45 98 48 8b 47 30 4c 8b af c0 00 00 00 48 8b 00 48 89 45 90 <49> 8b 45 00 48 8b 40 68 48 8b 40 10 48 8b 80 30 02 00 00 48 89  
RIP  [<ffffffff81229ddf>] selinux_set_mnt_opts+0x3f/0x580 
 RSP <ffff880438fffc58> 
CR2: 0000000000000000 

Version-Release number of selected component (if applicable):
kernel: 2.6.32-348.el6.x86_64
btrfs-progs: btrfs-progs-0.20-0.2.git91d9eec.el6.x86_64

How reproducible:

Steps to Reproduce:
1. Mount a broken btrfs filesystem
Actual results:
kernel NULL pointer dereference 

Expected results:
no kernel NULL pointer dereference

Additional info:

Comment 1 RHEL Program Management 2012-12-25 06:49:06 UTC
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Comment 2 Eryu Guan 2013-01-05 10:53:30 UTC
6.3 GA kernel has no problem, set Regression keyword, found this when testing degraded mount feature

Steps to reproduce:
# setup two loop devices, say /dev/loop0 and /dev/loop1
mkfs.btrfs /dev/loop0 /dev/loop1
# mount loop0 should work
mount /dev/loop0 /mnt/btrfs

# Remove loop1
umount /mnt/btrfs
losetup -d /dev/loop1

# mount loop0 again, this should fail, but panic
mount /dev/loop0 /mnt/btrfs

# If no panic, then mount with degraded option should work
mount -o degraded /dev/loop0 /mnt/btrfs

Comment 6 Eric Sandeen 2014-05-02 22:22:05 UTC
*** Bug 1093415 has been marked as a duplicate of this bug. ***

Comment 8 Eric Sandeen 2014-05-02 22:37:14 UTC
*** Bug 1093415 has been marked as a duplicate of this bug. ***

Comment 9 Eric Sandeen 2014-05-02 22:38:49 UTC
Created attachment 892050 [details]
Full oops

Comment 11 Linda Knippers 2014-05-02 22:50:31 UTC
From the other BZ, it's worth noting that this is easily 
producible if someone has RHEL7 with a btrfs file system and
then wants to re-install the system with RHEL6.5.  It will
crash during Anaconda and it won't necessarily be obvious why.

To recreate:
1) Install RHEL7 
2) Create a btrfs file system.  I also created a file in the file system.
3) Shut the system down 
4) Attempt to install RHEL6.5.  Choose basic storage.

When Anaconda examines the storage, the system will panic.

It doesn't have to be a broken btrfs file system.

Comment 13 RHEL Program Management 2014-05-02 23:20:41 UTC
This request was evaluated by Red Hat Product Management for
inclusion in a Red Hat Enterprise Linux release.  Product
Management has requested further review of this request by
Red Hat Engineering, for potential inclusion in a Red Hat
Enterprise Linux release for currently deployed products.
This request is not yet committed for inclusion in a release.

Comment 14 Rafael Aquini 2014-05-30 02:24:56 UTC
Patch(es) available on kernel-2.6.32-471.el6

Comment 17 Eric Sandeen 2014-06-18 20:14:27 UTC
*** Bug 1110173 has been marked as a duplicate of this bug. ***

Comment 18 Sreekanth Reddy 2014-07-07 12:56:59 UTC
Can we have a KBase for this known behavior with RHEL 6.5
Please let us know

Comment 19 Eric Sandeen 2014-07-15 00:12:14 UTC
*** Bug 920537 has been marked as a duplicate of this bug. ***

Comment 21 errata-xmlrpc 2014-10-14 05:13:42 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.