Bug 27782

Summary: Connecting/mounting HFS+ volumes causes kernel oops
Product: File System Reporter: A. Bahr (andreas.bahr1967)
Component: HFS/HFSPLUSAssignee: Christoph Hellwig (hch)
Status: CLOSED DUPLICATE    
Severity: high CC: dcbw, florian, hch, maciej.rutecki, rjw
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 2.6.38-rc2+ Subsystem:
Regression: Yes Bisected commit-id:
Bug Depends on:    
Bug Blocks: 27352    
Attachments: oops

Description A. Bahr 2011-01-29 11:19:59 UTC 
After connecting my iPod Classic to my machine running the latest linux-2.6 git version I am getting a kernel oops.

This is probably not XHCI-related, as I am experiencing the same issue on my Intel EHCI controller. The iPod works fine on the same machine with kernel 2.6.37.

usb 9-4: new high speed USB device using xhci_hcd and address 2
xhci_hcd 0000:03:00.0: WARN: short transfer on control ep
xhci_hcd 0000:03:00.0: WARN: short transfer on control ep
xhci_hcd 0000:03:00.0: WARN: short transfer on control ep
xhci_hcd 0000:03:00.0: WARN: short transfer on control ep
scsi8 : usb-storage 9-4:1.0
scsi 8:0:0:0: Direct-Access     Apple    iPod             1.62 PQ: 0 ANSI: 0
sd 8:0:0:0: Attached scsi generic sg5 type 0
sd 8:0:0:0: [sde] Spinning up disk....ready
sd 8:0:0:0: [sde] 39023511 4096-byte logical blocks: (159 GB/148 GiB)
sd 8:0:0:0: [sde] Write Protect is off
sd 8:0:0:0: [sde] Mode Sense: 68 00 00 08
sd 8:0:0:0: [sde] No Caching mode page present
sd 8:0:0:0: [sde] Assuming drive cache: write through
sd 8:0:0:0: [sde] 39023511 4096-byte logical blocks: (159 GB/148 GiB)
sd 8:0:0:0: [sde] No Caching mode page present
sd 8:0:0:0: [sde] Assuming drive cache: write through
 sde: [mac] sde1 sde2
sd 8:0:0:0: [sde] 39023511 4096-byte logical blocks: (159 GB/148 GiB)
sd 8:0:0:0: [sde] No Caching mode page present
sd 8:0:0:0: [sde] Assuming drive cache: write through
sd 8:0:0:0: [sde] Attached SCSI removable disk
xhci_hcd 0000:03:00.0: WARN: short transfer on control ep
sd 8:0:0:0: [sde] Bad block number requested
hfs: unable to find HFS+ superblock
BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
IP: [<ffffffff811a0a78>] hfsplus_sync_fs+0x68/0x270
PGD 21c2e7067 PUD 21bc70067 PMD 0
Oops: 0000 [#1] SMP
last sysfs file: /sys/devices/pci0000:00/0000:00:1c.3/0000:03:00.0/usb9/9-4/devnum
CPU 2
Modules linked in: ir_lirc_codec sg mceusb

Pid: 2474, comm: ipod-set-info Not tainted 2.6.38-rc2+ #34 EP45-DS4/EP45-DS4
RIP: 0010:[<ffffffff811a0a78>]  [<ffffffff811a0a78>] hfsplus_sync_fs+0x68/0x270
RSP: 0018:ffff88021c2ddab8  EFLAGS: 00010202
RAX: 0000000000000000 RBX: ffff88021b898b00 RCX: ffffffff81a07440
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff88021d23b000
RBP: 0000000000000000 R08: 00000000ffffffff R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88021d23b000
R13: 00000000ffffffea R14: ffffffff818000e0 R15: ffff88021bb67a00
FS:  00007fbbebc92720(0000) GS:ffff8800dfd00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000008 CR3: 000000021bf32000 CR4: 00000000000406a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process ipod-set-info (pid: 2474, threadinfo ffff88021c2dc000, task ffff88021d8022e0)
Stack:
 7fffffff00000008 ffff88021b898b00 ffff88021d23b000 ffff88021bb67a00
 00000000ffffffea ffffffff818000e0 0000000000000000 ffffffff811a0d15
 ffff88021b898b00 ffff88021d23b000 0000000000000000 ffffffff811a10b6
Call Trace:
 [<ffffffff811a0d15>] ? hfsplus_put_super+0x65/0xd0
 [<ffffffff811a10b6>] ? hfsplus_fill_super+0x116/0x590
 [<ffffffff81061840>] ? default_wake_function+0x0/0x20
 [<ffffffff813e1249>] ? T.646+0x49/0x120
 [<ffffffff81269e6c>] ? __disk_unblock_events+0x7c/0x130
 [<ffffffff8127b23f>] ? number+0x2ff/0x330
 [<ffffffff810d9a39>] ? pcpu_alloc_area+0x229/0x330
 [<ffffffff8127d1d9>] ? vsnprintf+0x429/0x5c0
 [<ffffffff8111676b>] ? iput+0x2b/0x290
 [<ffffffff811a0fa0>] ? hfsplus_fill_super+0x0/0x590
 [<ffffffff8127d416>] ? snprintf+0x36/0x40
 [<ffffffff8127a8f1>] ? strlcpy+0x41/0x50
 [<ffffffff81100870>] ? set_bdev_super+0x0/0x30
 [<ffffffff811a0fa0>] ? hfsplus_fill_super+0x0/0x590
 [<ffffffff81101e5d>] ? mount_bdev+0x1cd/0x210
 [<ffffffff81100935>] ? vfs_kern_mount+0x75/0x1a0
 [<ffffffff81118b2e>] ? get_fs_type+0x3e/0xd0
 [<ffffffff81100ad3>] ? do_kern_mount+0x53/0x110
 [<ffffffff8111c3a9>] ? do_mount+0x2d9/0x850
 [<ffffffff810d60c4>] ? memdup_user+0x44/0x90
 [<ffffffff8111c9ba>] ? sys_mount+0x9a/0xf0
 [<ffffffff81030dfb>] ? system_call_fastpath+0x16/0x1b
Code: 8b 6c 24 10 4c 8b 64 24 18 4c 8b 6c 24 20 4c 8b 74 24 28 4c 8b 7c 24 30 48 83 c4 38 c3 66 0f 1f 44 00 00 c6 47 14 00 48 8b 43 18 <48> 8b 40 08 48 8b b8 40 01 00 00 e8 d8 45 f2 ff 89 c5 48 8b 43
RIP  [<ffffffff811a0a78>] hfsplus_sync_fs+0x68/0x270
 RSP <ffff88021c2ddab8>
CR2: 0000000000000008
---[ end trace 3e2552afc5dac26f ]---
Comment 1 Dan Williams 2011-02-01 18:38:51 UTC 
*** Bug 28032 has been marked as a duplicate of this bug. ***
Comment 2 Dan Williams 2011-02-01 18:39:48 UTC 
From my dupe...

Attempting to mount:

http://pcdn2-download.vzw.com/mac/7.2/VZAM_7.2.4_2534b_UML290.dmg

with the following command:

mount -t hfsplus -o loop VZAM_7.2.4_2534b_UML290.dmg /tmp/mac290

yields the following oops.  The dmg in question can be extracted with
"macutils" dmg2img tool correctly (and then mounted like above) so it's clearly
some form of Mac disk image.  However, I'd assume the kernel shouldn't oops
when attempting to mount this image.
Comment 3 Dan Williams 2011-02-01 18:41:24 UTC 
Created attachment 45872 [details]
oops

Pretty much the same as Andreas' oops.
Comment 4 Christoph Hellwig 2011-02-03 22:30:08 UTC 

*** This bug has been marked as a duplicate of bug 27932 ***