202925 – BUG: failure at fs/buffer.c:195/__find_get_block_slow()!

Bug 202925 - BUG: failure at fs/buffer.c:195/__find_get_block_slow()!

Summary: BUG: failure at fs/buffer.c:195/__find_get_block_slow()!

Status:	NEW

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	ext4 (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	fs_ext4@kernel-bugs.osdl.org

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-03-14 19:18 UTC by Jungyeon
Modified:	2019-03-21 10:49 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:	5.0.0
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
image&program (6.70 KB, application/gzip) 2019-03-14 19:18 UTC, Jungyeon	Details
Add an attachment (proposed patch, testcase, etc.)

Description Jungyeon 2019-03-14 19:18:04 UTC

Created attachment 281829 [details]
image&program

- Overview
After mounting crafted image and running the attached program, I got this segmentation fault while running attached program.
I also tried to reproduce on vm, but it only failed on lkl.

LKL is Linux Kernel Library. poc_03.c is a program that calls lists of system calls in userspace and the craft image is a potentially faulty image to test error cases.
https://gts3.org/~jungyeon/ext4-combined
at the link above, I uploaded the executable file required for this test.

- Produces
./lkl/tools/lkl/ext4-combined -t ext4 -i tmp.img -p poc_03.c.raw -v
(poc_03.c shows it's internal programs)

- Messages
[    0.000000] Linux version 5.0.0+ (jungyeon@copper) (gcc version 7.3.0 (Ubuntu 7.3.0-27ubuntu1~18.04)) #1 Wed Mar 13 19:57:50 EDT 2019
[    0.000000] memblock address range: 0x7fffe4000000 - 0x7fffebfff000
[    0.000000] Built 1 zonelists, mobility grouping on.  Total pages: 32319
[    0.000000] Kernel command line: mem=128M virtio_mmio.device=316@0x1000000:1
[    0.000000] Dentry cache hash table entries: 16384 (order: 5, 131072 bytes)
[    0.000000] Inode-cache hash table entries: 8192 (order: 4, 65536 bytes)
[    0.000000] Memory available: 129044k/131068k RAM
[    0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[    0.000000] NR_IRQS: 4096
[    0.000000] lkl: irqs initialized
[    0.000000] clocksource: lkl: mask: 0xffffffffffffffff max_cycles: 0x1cd42e4dffb, max_idle_ns: 881590591483 ns
[    0.000001] lkl: time and timers initialized (irq2)
[    0.000009] pid_max: default: 4096 minimum: 301
[    0.000073] Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
[    0.000086] Mountpoint-cache hash table entries: 512 (order: 0, 4096 bytes)
[    0.002805] printk: console [lkl_console0] enabled
[    0.002839] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[    0.004581] clocksource: Switched to clocksource lkl
[    0.004960] virtio-mmio: Registering device virtio-mmio.0 at 0x1000000-0x100013b, IRQ 1.
[    0.005453] workingset: timestamp_bits=62 max_order=15 bucket_order=0
[    0.015235] virtio-mmio virtio-mmio.0: Failed to enable 64-bit or 32-bit DMA.  Trying to continue, but this might not work.
[    0.015492] virtio_blk virtio0: [vda] 32768 512-byte logical blocks (16.8 MB/16.0 MiB)
[    0.016404] random: get_random_bytes called from .LC28+0x21/0x38 with crng_init=0
[    0.016827] Warning: unable to open an initial console.
[    0.016877] This architecture does not have kernel memory protection.
[    0.016883] Run /init as init process
[    0.019880] EXT4-fs warning (device vda): ext4_clear_journal_err:4988: Filesystem error recorded from previous mount: Readonly filesystem
[    0.019894] EXT4-fs warning (device vda): ext4_clear_journal_err:4989: Marking fs in need of filesystem check.
[    0.020276] EXT4-fs (vda): warning: mounting fs with errors, running e2fsck is recommended
[    0.020464] EXT4-fs (vda): mounted filesystem with writeback data mode. Opts: errors=remount-ro
[    0.034246] BUG: failure at fs/buffer.c:195/__find_get_block_slow()!
[    0.034264] Kernel panic - not syncing: BUG!
[    0.034268] Call Trace:
[    0.034275] (____ptrval____):  [<55555559bc94>] .LC81+0x5f/0xfb
[    0.034282] (____ptrval____):  [<5555555c6025>] major_names+0x75/0x80
[    0.034289] (____ptrval____):  [<5555555978f4>] .LC11+0x14/0x20
[    0.034296] (____ptrval____):  [<55555575e71f>] ext4_mark_iloc_dirty+0x126f/0x1640
[    0.034303] (____ptrval____):  [<5555556a91c5>] __find_get_block+0xda5/0xdb0
[    0.034307] (____ptrval____):  [<5555555978f4>] .LC11+0x14/0x20
[    0.034314] (____ptrval____):  [<5555557f876b>] jbd2_journal_cancel_revoke+0x2cb/0x440
[    0.034319] (____ptrval____):  [<5555557e80b9>] do_get_write_access+0x7f9/0xc20
[    0.034324] (____ptrval____):  [<5555557e782e>] jbd2_journal_get_write_access+0x1fe/0x290
[    0.034331] (____ptrval____):  [<55555570d542>] __ext4_journal_get_write_access+0xa2/0x130
[    0.034341] (____ptrval____):  [<55555573f72e>] ext4_free_data+0x9e/0x450
[    0.034358] (____ptrval____):  [<555555740524>] ext4_free_branches+0x654/0x6f0
[    0.034370] (____ptrval____):  [<5555557400ec>] ext4_free_branches+0x21c/0x6f0
[    0.034381] (____ptrval____):  [<55555573f4bf>] ext4_ind_truncate+0x8ff/0xad0
[    0.034391] (____ptrval____):  [<55555575e71f>] ext4_mark_iloc_dirty+0x126f/0x1640
[    0.034402] (____ptrval____):  [<5555555978f4>] .LC11+0x14/0x20
[    0.034414] (____ptrval____):  [<5555558801b7>] __down_write_common+0x177/0x290
[    0.034426] (____ptrval____):  [<5555555bafd4>] ___might_sleep+0x44/0x150
[    0.034436] (____ptrval____):  [<55555574ed4e>] ext4_truncate+0x93e/0xaf0
[    0.034445] (____ptrval____):  [<55555574dd7f>] ext4_evict_inode+0xbdf/0xe50
[    0.034456] (____ptrval____):  [<555555667e2c>] evict+0x20c/0x800
[    0.034464] (____ptrval____):  [<5555556621bb>] iput+0x53b/0x800
[    0.034473] (____ptrval____):  [<55555565bf16>] dentry_unlink_inode+0x276/0x2b0
[    0.034483] (____ptrval____):  [<555555654c42>] __dentry_kill+0x3a2/0x5b0
[    0.034495] (____ptrval____):  [<555555653b7b>] dput+0x34b/0x7c0
[    0.034505] (____ptrval____):  [<55555561669d>] __fput+0x2bd/0x490
[    0.034513] (____ptrval____):  [<555555616289>] ____fput+0x39/0x40
[    0.034525] (____ptrval____):  [<5555555b24ca>] task_work_run+0xba/0xf0
[    0.034534] (____ptrval____):  [<55555559800f>] .LC2+0x3f/0x40
[    0.034543] 
[    0.034551] ---[ end Kernel panic - not syncing: BUG! ]---


- Primitive reasons
when __find_get_block_slow is call, the bdev is NULL.
I temporarily put BUG_ON to get stack trace.

 192 static struct buffer_head *
 193 __find_get_block_slow(struct block_device *bdev, sector_t block)
 194 {
 195     BUG_ON(bdev == NULL);
 196     struct inode *bd_inode = bdev->bd_inode;
 197     struct address_space *bd_mapping = bd_inode->i_mapping;
 198     struct buffer_head *ret = NULL;
 199     pgoff_t index;
 200     struct buffer_head *bh;
 201     struct buffer_head *head;
 202     struct page *page;
 203     int all_mapped = 1;
 204     static DEFINE_RATELIMIT_STATE(last_warned, HZ, 1);
 205 
 206     index = block >> (PAGE_SHIFT - bd_inode->i_blkbits);
 207     page = find_get_page_flags(bd_mapping, index, FGP_ACCESSED);
 208     if (!page)
 209         goto out;

Comment 1 Jungyeon 2019-03-14 19:28:46 UTC

I'm attaching original messages without BUG_ON inserted, just in case.

[    0.000000] Linux version 5.0.0+ (jungyeon@copper) (gcc version 7.3.0 (Ubuntu 7.3.0-27ubuntu1~18.04)) #1 Tue Mar 12 20:26:38 EDT 2019
[    0.000000] memblock address range: 0x7fffe4000000 - 0x7fffebfff000
[    0.000000] Built 1 zonelists, mobility grouping on.  Total pages: 32319
[    0.000000] Kernel command line: mem=128M virtio_mmio.device=316@0x1000000:1
[    0.000000] Dentry cache hash table entries: 16384 (order: 5, 131072 bytes)
[    0.000000] Inode-cache hash table entries: 8192 (order: 4, 65536 bytes)
[    0.000000] Memory available: 129044k/131068k RAM
[    0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[    0.000000] NR_IRQS: 4096
[    0.000000] lkl: irqs initialized
[    0.000000] clocksource: lkl: mask: 0xffffffffffffffff max_cycles: 0x1cd42e4dffb, max_idle_ns: 881590591483 ns
[    0.000001] lkl: time and timers initialized (irq2)
[    0.000008] pid_max: default: 4096 minimum: 301
[    0.000073] Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
[    0.000083] Mountpoint-cache hash table entries: 512 (order: 0, 4096 bytes)
[    0.002211] printk: console [lkl_console0] enabled
[    0.002242] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[    0.004003] clocksource: Switched to clocksource lkl
[    0.004291] virtio-mmio: Registering device virtio-mmio.0 at 0x1000000-0x100013b, IRQ 1.
[    0.004761] workingset: timestamp_bits=62 max_order=15 bucket_order=0
[    0.015057] virtio-mmio virtio-mmio.0: Failed to enable 64-bit or 32-bit DMA.  Trying to continue, but this might not work.
[    0.015283] virtio_blk virtio0: [vda] 32768 512-byte logical blocks (16.8 MB/16.0 MiB)
[    0.016182] random: get_random_bytes called from init_oops_id+0x35/0x40 with crng_init=0
[    0.016509] Warning: unable to open an initial console.
[    0.016545] This architecture does not have kernel memory protection.
[    0.016550] Run /init as init process
[    0.019152] EXT4-fs warning (device vda): ext4_clear_journal_err:4988: Filesystem error recorded from previous mount: Readonly filesystem
[    0.019166] EXT4-fs warning (device vda): ext4_clear_journal_err:4989: Marking fs in need of filesystem check.
[    0.019503] EXT4-fs (vda): warning: mounting fs with errors, running e2fsck is recommended
[    0.019672] EXT4-fs (vda): mounted filesystem with writeback data mode. Opts: errors=remount-ro
	v13 = syscall(SYS_open, (long)v12, 65536, 0);
	syscall(SYS_getdents64, (long)v13, (long)v1, 1435);
	syscall(SYS_fsync, (long)v13);
	v15 = syscall(SYS_open, (long)v14, 66, 438);
	syscall(SYS_fdatasync, (long)v15);
	syscall(SYS_newlstat, (long)v9, (long)v1);
	syscall(SYS_link, (long)v4, (long)v16);
	syscall(SYS_fsync, (long)v15);
	syscall(SYS_fsync, (long)v15);
	syscall(SYS_ftruncate, (long)v15, 6784);
	syscall(SYS_ftruncate, (long)v15, 4214);
	syscall(SYS_fsync, (long)v15);
	syscall(SYS_ftruncate, (long)v15, 150);
	syscall(SYS_removexattr, (long)v2, (long)v17);
	syscall(SYS_write, (long)v15, (long)v1, 7533);
	syscall(SYS_ftruncate, (long)v15, 7340);
	syscall(SYS_fsync, (long)v13);
	syscall(SYS_listxattr, (long)v12, (long)v1, 2897);
	syscall(SYS_ftruncate, (long)v15, 4203);
	syscall(SYS_write, (long)v15, (long)v1, 7906);
	syscall(SYS_symlink, (long)v5, (long)v18);
	syscall(SYS_write, (long)v15, (long)v1, 3168);
	syscall(SYS_write, (long)v15, (long)v1, 8165);
	syscall(SYS_readlink, (long)v2, (long)v1, 8192);
	syscall(SYS_symlink, (long)v11, (long)v19);
	syscall(SYS_fsync, (long)v13);
	syscall(SYS_pwrite64, (long)v15, (long)v1, 1395, 6228);
	syscall(SYS_lseek, (long)v15, 943, 4);
	syscall(SYS_fsync, (long)v15);
	syscall(SYS_read, (long)v15, (long)v0, 143);
	syscall(SYS_setxattr, (long)v2, (long)v21, (long)v20, 47, 1);
	syscall(SYS_newlstat, (long)v4, (long)v1);
	syscall(SYS_lseek, (long)v15, 6040, 2);
	syscall(SYS_ftruncate, (long)v15, 7971);
	syscall(SYS_write, (long)v15, (long)v1, 6752);
	syscall(SYS_ftruncate, (long)v15, 2719);
	syscall(SYS_truncate, (long)v7, 7015);
	syscall(SYS_fsync, (long)v13);
	syscall(SYS_write, (long)v15, (long)v1, 7688);
	syscall(SYS_rmdir, (long)v4);
	syscall(SYS_ftruncate, (long)v15, 6532);
	syscall(SYS_access, (long)v3, 4);
	syscall(SYS_fsync, (long)v15);
	syscall(SYS_write, (long)v15, (long)v1, 2075);
	syscall(SYS_chmod, (long)v8, 3072);
	syscall(SYS_access, (long)v6, 4);
	syscall(SYS_symlink, (long)v3, (long)v22);
	syscall(SYS_fsync, (long)v13);
	syscall(SYS_write, (long)v15, (long)v1, 2053);
	syscall(SYS_newlstat, (long)v10, (long)v1);
	syscall(SYS_pwrite64, (long)v15, (long)v1, 8187, 6095);
	syscall(SYS_fsync, (long)v15);
	syscall(SYS_rmdir, (long)v12);
	syscall(SYS_unlink, (long)v18);
	syscall(SYS_link, (long)v19, (long)v23);
	syscall(SYS_rmdir, (long)v16);
	syscall(SYS_listxattr, (long)v11, (long)v1, 3204);
	syscall(SYS_truncate, (long)v14, 1234);
	syscall(SYS_unlink, (long)v14);
	syscall(SYS_write, (long)v15, (long)v1, 5057);
	syscall(SYS_fsync, (long)v15);
	syscall(SYS_access, (long)v5, 2);
	syscall(SYS_write, (long)v15, (long)v1, 3487);
	v25 = syscall(SYS_open, (long)v24, 66, 438);
	syscall(SYS_listxattr, (long)v23, (long)v1, 5475);
	syscall(SYS_unlink, (long)v19);
	syscall(SYS_write, (long)v15, (long)v1, 6720);
	syscall(SYS_truncate, (long)v10, 4907);
	syscall(SYS_getdents64, (long)v13, (long)v1, 2280);
	syscall(SYS_fsync, (long)v15);
	syscall(SYS_fdatasync, (long)v25);
	syscall(SYS_pwrite64, (long)v25, (long)v1, 6152, 4834);
	syscall(SYS_removexattr, (long)v23, (long)v26);
	syscall(SYS_lseek, (long)v25, 3817, 2);
	v28 = syscall(SYS_open, (long)v27, 66, 438);
	syscall(SYS_pwrite64, (long)v28, (long)v1, 7246, 2701);
	syscall(SYS_newlstat, (long)v24, (long)v1);
	syscall(SYS_lseek, (long)v28, 2201, 0);
	syscall(SYS_fsync, (long)v28);
	syscall(SYS_lseek, (long)v25, 118, 3);
	syscall(SYS_lseek, (long)v25, 731, 4);
	syscall(SYS_lseek, (long)v25, 3045, 2);
	syscall(SYS_newstat, (long)v5, (long)v1);
	v29 = syscall(SYS_open, (long)v3, 65536, 0);
	syscall(SYS_link, (long)v7, (long)v30);
	syscall(SYS_lseek, (long)v25, 3463, 3);
	syscall(SYS_removexattr, (long)v27, (long)v31);
	syscall(SYS_fsync, (long)v25);
	v33 = syscall(SYS_open, (long)v32, 66, 438);
	syscall(SYS_mkdir, (long)v34, 511);
	syscall(SYS_fdatasync, (long)v33);
	syscall(SYS_write, (long)v33, (long)v1, 1254);
	syscall(SYS_utimes, (long)v24, (long)v1);
	syscall(SYS_chmod, (long)v32, 3072);
	syscall(SYS_truncate, (long)v3, 537);
	syscall(SYS_removexattr, (long)v5, (long)v35);
	syscall(SYS_fsync, (long)v29);
Segmentation fault (core dumped)

Note You need to log in before you can comment on or make changes to this bug.