Bug 42292

Summary: logfs: NULL pointer dereference
Product: File System Reporter: Witold Baryluk (witold.baryluk+kernel)
Component: OtherAssignee: fs_other
Status: RESOLVED CODE_FIX    
Severity: normal CC: alan, prasadjoshi124, witold.baryluk+kernel
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 3.0.0 Subsystem:
Regression: No Bisected commit-id:

Description Witold Baryluk 2011-09-03 12:53:42 UTC
I was experiementing with logfs today.

I created a 128MiB logical volume on my LVM volume group. (it is using single device: /dev/sda2_crypt, which is encrypted using dmsetup/LUKS of my second partition of my hard disk /dev/sda).


# dd if=/dev/zero of=/dev/mapper/sredniczarny-logfstests 
dd: zapis do `/dev/mapper/sredniczarny-logfstests': Brak miejsca na urządzeniu
262145+0 przeczytanych recordów
262144+0 zapisanych recordów
skopiowane 134217728 bajtów (134 MB), 32,9673 s, 4,1 MB/s
# mkfs.logfs /dev/mapper/sredniczarny-logfstests 
Will create filesystem with the following details:
              hex:   decimal:
fssize=    8000000  134217728
segsize=     40000     262144
blocksize=    1000       4096
writesize=       1          1

Do you wish to continue (yes/no)
yes

Finished generating LogFS
# modprobe logfs
# mount /dev/mapper/sredniczarny-logfstests /mnt/logfstests
Unicestwiony (Terminated / Killed)
#

(note mount without -t logfs)

In the same time kernel log showed

[40191.377531] EXT3-fs (dm-9): error: can't find ext3 filesystem on dev dm-9.
[40191.391891] EXT4-fs (dm-9): VFS: Can't find ext4 filesystem
[40194.155546] EXT3-fs (dm-9): error: can't find ext3 filesystem on dev dm-9.
[40194.197908] EXT4-fs (dm-9): VFS: Can't find ext4 filesystem
[40199.897174] EXT3-fs (dm-9): error: can't find ext3 filesystem on dev dm-9.
[40199.919059] EXT4-fs (dm-9): VFS: Can't find ext4 filesystem
[40199.920300] LogFS: Start mount 0
[40199.920381] BUG: unable to handle kernel NULL pointer dereference at   (null)
[40199.920510] IP: [<f841f644>] kcryptd_io_read+0x99/0xa9 [dm_crypt]
[40199.920622] *pdpt = 000000001eb81001 *pde = 0000000000000000 
[40199.920720] Oops: 0000 [#1] SMP 
[40199.920780] Modules linked in: logfs ecb ecryptfs pktcdvd snd_hrtimer ip6table_filter ip6_tables ebtable_nat tun ebtables microcode ipt_MASQUERADE iptable_nat nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_state nf_conntrack acpi_cpufreq ipt_REJECT mperf cpufreq_userspace xt_CHECKSUM cpufreq_stats iptable_mangle xt_tcpudp iptable_filter ip_tables x_tables bridge stp zram(C) dummy xfrm_user esp6 esp4 xfrm6_mode_beet xfrm4_mode_beet decnet cpufreq_conservative cpufreq_powersave cn bnep rfcomm bluetooth lib80211_crypt_ccmp binfmt_misc uinput deflate ctr camellia serpent blowfish cast5 des_generic xcbc rmd160 sha512_generic sha1_generic hmac crypto_null af_key ib_iser rdma_cm ib_cm iw_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi nfsd nfs lockd auth_rpcgss nfs_acl sunrpc irtty_sir sir_dev ircomm_tty ircomm irda crc_ccitt hdaps input_polldev snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm_oss snd_mixer_oss snd_pcm snd_page_alloc radeonfb fb_ddc joydev radeon thinkpad_acpi ipw2200 snd_seq_midi snd_rawmidi libipw pcspkr snd_seq_midi_event cfg80211 psmouse ttm snd_seq snd_timer snd_seq_device snd serio_raw evdev rfkill lib80211 soundcore parport_pc i2c_i801 drm_kms_helper nvram rng_core parport drm video battery ac i2c_algo_bit i2c_core power_supply button processor ext4 jbd2 crc16 fuse btrfs zlib_deflate crc32c libcrc32c sha256_generic cbc dm_crypt dm_mod raid10 raid456 async_raid6_recov async_pq raid6_pq async_xor xor async_memcpy async_tx raid1 raid0 multipath linear md_mod xenfs ext3 jbd mbcache cachefiles fscache twofish_i586 twofish_common aes_i586 aes_generic tpm_nsc tpm tpm_bios loop sg sr_mod sd_mod cdrom crc_t10dif ata_generic ata_piix ahci libahci libata tg3 thermal thermal_sys ehci_hcd scsi_mod libphy usbcore [last unloaded: uhci_hcd]
[40199.923684] 
[40199.923711] Pid: 22009, comm: mount Tainted: G         C   3.0.0-1-686-pae #1 IBM 2669UYD/2669UYD
[40199.923859] EIP: 0060:[<f841f644>] EFLAGS: 00010246 CPU: 0
[40199.923955] EIP is at kcryptd_io_read+0x99/0xa9 [dm_crypt]
[40199.924013] EAX: dedde20c EBX: c6746bfc ECX: 0000000c EDX: 00000000
[40199.924013] ESI: 00000000 EDI: dedde20c EBP: dedde1c0 ESP: f65a7ca0
[40199.924013]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[40199.924013] Process mount (pid: 22009, ti=f65a6000 task=f258d6f0 task.ti=f65a6000)
[40199.924013] Stack:
[40199.924013]  c6746bfc 00000000 0270a180 00000000 f841f777 f821f040 dea86f40 c67493c8
[40199.924013]  f821f040 f8422000 f843689a 0270a180 00000000 dea86d40 c67493c8 f4fb7800
[40199.924013]  f821f040 f843745a 00000000 00000001 00000008 f6d51de0 101dc26b 00000000
[40199.924013] Call Trace:
[40199.924013]  [<f841f777>] ? crypt_map+0x74/0xd2 [dm_crypt]
[40199.924013]  [<f843689a>] ? __map_bio+0x3a/0xe5 [dm_mod]
[40199.924013]  [<f843745a>] ? __split_and_process_bio+0x2f7/0x670 [dm_mod]
[40199.924013]  [<c10d8a0e>] ? __d_lookup_rcu+0xba/0xf0
[40199.924013]  [<c1020000>] ? hpet_reserve_platform_timers+0x23/0xd0
[40199.924013]  [<f843790e>] ? dm_request+0x13b/0x149 [dm_mod]
[40199.924013]  [<c1141f64>] ? generic_make_request+0x236/0x2a4
[40199.924013]  [<c1098d85>] ? get_page_from_freelist+0x29c/0x39d
[40199.924013]  [<c1142087>] ? submit_bio+0xb5/0xce
[40199.924013]  [<f9c34263>] ? sync_request+0x8a/0xa8 [logfs]
[40199.924013]  [<f9c342d2>] ? bdev_readpage+0x3a/0x3a [logfs]
[40199.924013]  [<f9c34298>] ? bdev_write_sb+0x17/0x17 [logfs]
[40199.924013]  [<f9c342ae>] ? bdev_readpage+0x16/0x3a [logfs]
[40199.924013]  [<c10944b5>] ? do_read_cache_page+0x64/0xf3
[40199.924013]  [<c1094571>] ? read_cache_page_async+0x14/0x18
[40199.924013]  [<c109457e>] ? read_cache_page+0x9/0xf
[40199.924013]  [<f9c34359>] ? bdev_find_first_sb+0x2b/0x2d [logfs]
[40199.924013]  [<f9c33ac9>] ? logfs_mount+0x1c3/0x56a [logfs]
[40199.924013]  [<c10dc5f1>] ? alloc_vfsmnt+0x7d/0x10e
[40199.924013]  [<c10cc428>] ? mount_fs+0x59/0x125
[40199.924013]  [<c10dc829>] ? vfs_kern_mount+0x45/0x78
[40199.924013]  [<c10dca43>] ? do_kern_mount+0x33/0xb3
[40199.924013]  [<c10ddd67>] ? do_mount+0x5df/0x62d
[40199.924013]  [<c12acc4c>] ? _cond_resched+0x5/0x18
[40199.924013]  [<c10a4b56>] ? memdup_user+0x26/0x43
[40199.924013]  [<c10ddfdb>] ? sys_mount+0x66/0x96
[40199.924013]  [<c12b245f>] ? sysenter_do_call+0x12/0x28
[40199.924013] Code: 20 0f b7 c9 89 45 20 8b 43 54 8b 53 58 03 46 04 13 56 08 6b c9 0c 89 45 00 8b 45 38 89 55 04 0f b7 77 1a 6b f6 0c 03 77 38 89 c7 <f3> a4 89 e8 e8 e1 26 d2 c8 31 c0 5b 5e 5f 5d c3 8b 50 40 8b 12 
[40199.924013] EIP: [<f841f644>] kcryptd_io_read+0x99/0xa9 [dm_crypt] SS:ESP 0068:f65a7ca0
[40199.924013] CR2: 0000000000000000
[40199.961504] ---[ end trace 74b876e5c8635942 ]---



Kernel is stock kernel from Debian GNU/Linux, testing. i386.

[    0.000000] Linux version 3.0.0-1-686-pae (Debian 3.0.0-3) (ben@decadent.org.uk) (gcc version 4.5.3 (Debian 4.5.3-8) ) #1 SMP Sat Aug 27 16:41:03 UTC 2011

Afte oops, I have some problem with hard disk (notably "sync" command blocks, and do not finish its job). Reboot is required.
Comment 1 Prasad Gajanan Joshi. 2012-04-05 14:53:23 UTC
This is fixed in the following commit


commit cd8bfa9c8a13cf3facc5731da17e10188b3795d1
Author: Prasad Joshi <prasadjoshi.linux@gmail.com>
Date:   Mon Apr 2 09:23:04 2012 +0530

    logfs: initialize the number of iovecs in bio
    
    This fixes the following crash when a LogFS file system, created on a
    encrypted LVM volume, was mounted
    
    [  526.548034] BUG: unable to handle kernel NULL pointer dereference at
    [  526.550106] IP: [<ffffffff8131ecab>] memcpy+0xb/0x120
    [  526.551008] PGD bd60067 PUD 1778d067 PMD 0
    [  526.551783] Oops: 0000 [#1] SMP
    
    <d>Pid: 2043, comm: mount
    <d>RIP: 0010:[<ffffffff8131ecab>]  [<ffffffff8131ecab>] memcpy+0xb/0x120
    Call Trace:
        kcryptd_io_read+0xdb/0x100
        crypt_map+0xfd/0x190
        __map_bio+0x48/0x150
        __split_and_process_bio+0x51b/0x630
        dm_request+0x138/0x230
        generic_make_request+0xca/0x100
        submit_bio+0x87/0x110
        sync_request+0xdd/0x120 [logfs]
        bdev_readpage+0x2e/0x70 [logfs]
        do_read_cache_page+0x82/0x180
        logfs_mount+0x2ad/0x770 [logfs]
        mount_fs+0x47/0x1c0
        vfs_kern_mount+0x72/0x110
        do_kern_mount+0x54/0x110
        do_mount+0x520/0x7f0
        sys_mount+0x90/0xe0
    
    Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=42292
    Reported-by: Witold Baryluk <baryluk@smp.if.uj.edu.pl>
    Signed-off-by: Prasad Joshi <prasadjoshi.linux@gmail.com>


If you would like to verify, please clone the following repository
git://github.com/prasad-joshi/logfs_upstream.git