18792 – BUG: unable to handle kernel paging request in minix_count_free_blocks

Bug 18792 - BUG: unable to handle kernel paging request in minix_count_free_blocks

Summary: BUG: unable to handle kernel paging request in minix_count_free_blocks

Status:	CLOSED CODE_FIX

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	Other (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	fs_other

URL:
Keywords:

Depends on:
Blocks:

Reported:	2010-09-19 14:04 UTC by Richard W.M. Jones
Modified:	2012-06-13 14:58 UTC (History)
CC List:	2 users (show)

See Also:
Kernel Version:
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Richard W.M. Jones 2010-09-19 14:04:55 UTC

This is a copy of the Red Hat Bugzilla bug here:
https://bugzilla.redhat.com/show_bug.cgi?id=635266

Description of problem:

I have a minix filesystem which provokes the stack trace
attached (2.6.36-0.22.rc4.git2.fc15.x86_64 and also earlier
kernel versions).

There's nothing particularly special about the filesystem.  I
made it simply by installing Minix 3.1.7 in a qemu VM.
Unfortunately though the disk image that contains it is pretty
large (4GB) so it's going to be quite hard to provide a copy
of it for anyone.

[  119.975051] BUG: unable to handle kernel paging request at ffff88001f3fd000
[  119.975051] IP: [<ffffffffa01070b2>] count_free+0xb2/0x137 [minix]
[  119.975051] PGD 1a44063 PUD 1a48063 PMD 8067 PTE 0
[  119.975051] Oops: 0000 [#1] SMP 
[  119.975051] last sysfs file: /sys/devices/virtio-pci/virtio1/block/vda/dev
[  119.975051] CPU 0 
[  119.975051] Modules linked in: minix nls_utf8 hfsplus hfs vfat fat i2c_piix4
i2c_core virtio_blk virtio_net virtio_console virtio_rng virtio_balloon
virtio_pci sym53c8xx virtio_ring virtio scsi_transport_spi libcrc32c ext2 crc7
crc_itu_t crc_ccitt
[  119.975051] 
[  119.975051] Pid: 230, comm: guestfsd Not tainted
2.6.36-0.22.rc4.git2.fc15.x86_64 #1 /Bochs
[  119.975051] RIP: 0010:[<ffffffffa01070b2>]  [<ffffffffa01070b2>]
count_free+0xb2/0x137 [minix]
[  119.975051] RSP: 0018:ffff88001cdc3d70  EFLAGS: 00000203
[  119.975051] RAX: 00000000fffffea2 RBX: ffff88001f07e000 RCX:
000000000037f000
[  119.975051] RDX: 00000000000c751f RSI: ffff88001ca354d0 RDI:
000000000037f001
[  119.975051] RBP: ffff88001cdc3d90 R08: 000000000178ca99 R09:
0000000000000019
[  119.975051] R10: ffff88001ca35000 R11: 0000000000000019 R12:
0000000000001000
[  119.975051] R13: 0000000000000000 R14: ffff88001cdc3e00 R15:
00007fff9a2d42c0
[  119.975051] FS:  00007f1f4c7ff7c0(0000) GS:ffff880002c00000(0000)
knlGS:0000000000000000
[  119.975051] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  119.975051] CR2: ffff88001f3fd000 CR3: 000000001c47a000 CR4:
00000000000006f0
[  119.975051] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[  119.975051] DR3: 0000000000000000 DR6: 0000000000000000 DR7:
0000000000000000
[  119.975051] Process guestfsd (pid: 230, threadinfo ffff88001cdc2000, task
ffff88001c65a440)
[  119.975051] Stack:
[  119.975051]  ffff88001ce5c000 ffff88001ce5c000 000000000fc00007
ffff88001cdc3ec8
[  119.975051] <0> ffff88001cdc3da8 ffffffffa01072fa ffff88001cdc3e28
ffff88001cdc3dd8
[  119.975051] <0> ffffffffa0109628 ffff88001cdc3dd8 ffff88001cdc3e28
ffff88001caa43d8
[  119.975051] Call Trace:
[  119.975051]  [<ffffffffa01072fa>] minix_count_free_blocks+0x23/0x2c [minix]
[  119.975051]  [<ffffffffa0109628>] minix_statfs+0x5a/0xb0 [minix]
[  119.975051]  [<ffffffff8114d60e>] statfs_by_dentry+0x56/0x6e
[  119.975051]  [<ffffffff8114d641>] vfs_statfs+0x1b/0xb0
[  119.975051]  [<ffffffff8114d734>] do_statfs_native+0x22/0x3c
[  119.975051]  [<ffffffff8114d79a>] sys_statfs+0x4c/0x8f
[  119.975051]  [<ffffffff8113377a>] ? mntput+0x1d/0x1f
[  119.975051]  [<ffffffff81009cea>] ? sysret_check+0x2e/0x69
[  119.975051]  [<ffffffff810801d5>] ? trace_hardirqs_on_caller+0x10b/0x12f
[  119.975051]  [<ffffffff8149c10a>] ? trace_hardirqs_on_thunk+0x3a/0x3f
[  119.975051]  [<ffffffff81009cb2>] system_call_fastpath+0x16/0x1b
[  119.975051] Code: 85 f6 0f 84 9f 00 00 00 48 8b 4e 20 89 d0 31 ff 48 c1 e1
03 49 0f af c9 48 29 c8 48 c1 e8 04 01 c0 eb 26 48 8b 5e 28 89 f9 ff c7 <8a> 0c
0b 88 cb 83 e1 0f c0 fb 04 83 e3 0f 44 03 04 9d b0 b0 10 
[  119.975051] RIP  [<ffffffffa01070b2>] count_free+0xb2/0x137 [minix]
[  119.975051]  RSP <ffff88001cdc3d70>
[  119.975051] CR2: ffff88001f3fd000
[  119.975051] ---[ end trace 33e5808896065909 ]---


Version-Release number of selected component (if applicable):

Linux version 2.6.36-0.22.rc4.git2.fc15.x86_64
(mockbuild@x86-07.phx2.fedoraproject.org) (gcc version 4.5.1 20100907 (Red Hat
4.5.1-3) (GCC) ) #1 SMP Wed Sep 15 12:48:54 UTC 2010

(also happens with earlier kernel versions, I tested several
versions from 2.6.33 onwards)

How reproducible:

Always.

Steps to Reproduce:
1. Install Minix 3.1.7 in a qemu (not KVM) VM.
2. Attach the disk to a Rawhide VM, or just run
  LIBGUESTFS_DEBUG=1 virt-df -h /dev/vg/minix

Actual results:

Spectacular crash.

Expected results:

Shouldn't crash.

Additional info:

Looking a bit more closely, what fails is *not* the mount,
but the statfs system call on the mounted filesystem.  To
reproduce this you would have to first mount /dev/vda7
(readonly, not sure if that matters), and then perform a
statfs(2) system call on the filesystem.

Comment 1 Richard W.M. Jones 2011-08-15 20:50:13 UTC

Still happens in 3.0.

There is a reproducer filesystem image here:
https://bugzilla.redhat.com/show_bug.cgi?id=635266#c8

Comment 2 Florian Mickler 2012-01-12 21:29:09 UTC

A patch referencing this bug report has been merged in Linux v3.2-rc3:

commit 016e8d44bc06dd3322f26712bdd3f3a6973592d0
Author: Josh Boyer <jwboyer@redhat.com>
Date:   Fri Aug 19 14:50:26 2011 -0400

    fs/minix: Verify bitmap block counts before mounting

Note You need to log in before you can comment on or make changes to this bug.