| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2a17b9b1-c490-4571-8f6a-fa567ed0b57e@linux.ibm.com>
Date: Wed, 7 May 2025 21:05:42 +0530
From: Venkat Rao Bagalkote <venkat88@...ux.ibm.com>
To: LKML <linux-kernel@...r.kernel.org>,
linuxppc-dev <linuxppc-dev@...ts.ozlabs.org>,
linux-btrfs@...r.kernel.org, riteshh@...ux.ibm.com,
Qu Wenruo <quwenruo.btrfs@....com>, disgoel@...ux.vnet.ibm.com,
viro@...iv.linux.org.uk, dsterba@...e.com
Subject: Re: [next-20250506][btrfs] Kernel OOPS while btrfs/001 TC
On 07/05/25 2:14 pm, Venkat Rao Bagalkote wrote:
> Hello,
>
>
> I am observing kernel OOPS, while running btrfs/001 TC, from xfstests
> suite.
>
>
> This issue is introduced in next-20250506. This issue is not seen on
> next-20250505 kernel.
>
>
> Steps to repro:
>
>
> 1. git clone git://git.kernel.org/pub/scm/fs/xfs/xfstests-dev.git
> 2. cd xfstests-dev/
> 3. mkdir /mnt/loop-device /mnt/test /mnt/scratch
> 4. for i in $(seq 0 5); do fallocate -o 0 -l 5GiB
> /mnt/loop-device/file-$i.img; done
> 5. for i in $(seq 0 5); do losetup /dev/loop$i
> /mnt/loop-device/file-$i.img; done
> 6. mkfs.btrfs -f -s 65536 -n 65536 /dev/loop0; mkfs.btrfs -f
> /dev/loop1; mkfs.btrfs -f /dev/loop2; mkfs.btrfs -f /dev/loop3;
> mkfs.btrfs -f /dev/loop4; mkfs.btrfs -f /dev/loop5
> 8. vi local.config
> 9. make
> 10. ./check tools/btrfs/001
>
>
> local.config contents:
>
>
> export RECREATE_TEST_DEV=true
> export TEST_DEV=/dev/loop0
> export TEST_DIR=/mnt/test
> export SCRATCH_DEV_POOL="/dev/loop1 /dev/loop2 /dev/loop3 /dev/loop4
> /dev/loop5"
> export SCRATCH_MNT=/mnt/scratch
> export MKFS_OPTIONS="-f -s 4096 -n 4096"
> export FSTYP=btrfs
> export MOUNT_OPTIONS=""
>
>
> Crash:
>
>
> [ 953.799060] Btrfs loaded, zoned=yes, fsverity=no
> [ 968.070858] BTRFS: device fsid 3813dc53-a2f3-4342-b44e-c9349f17f991
> devid 1 transid 8 /dev/loop0 (7:0) scanned by mount (25422)
> [ 968.072561] BTRFS info (device loop0): first mount of filesystem
> 3813dc53-a2f3-4342-b44e-c9349f17f991
> [ 968.072584] BTRFS info (device loop0): using crc32c
> (crc32c-powerpc) checksum algorithm
> [ 968.072594] BTRFS info (device loop0): forcing free space tree for
> sector size 4096 with page size 65536
> [ 968.072599] BTRFS info (device loop0): using free-space-tree
> [ 968.073867] BTRFS info (device loop0): checking UUID tree
> [ 968.074000] Kernel attempted to read user page (68) - exploit
> attempt? (uid: 0)
> [ 968.074009] BUG: Kernel NULL pointer dereference on read at 0x00000068
> [ 968.074013] Faulting instruction address: 0xc00800000f7fb5e0
> [ 968.074019] Oops: Kernel access of bad area, sig: 11 [#1]
> [ 968.074022] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=8192 NUMA pSeries
> [ 968.074028] Modules linked in: btrfs blake2b_generic xor raid6_pq
> zstd_compress loop dm_mod nft_fib_inet nft_fib_ipv4 nft_fib_ipv6
> nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject
> nft_ct sunrpc nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6
> nf_defrag_ipv4 bonding tls rfkill ip_set nf_tables nfnetlink
> pseries_rng vmx_crypto fuse ext4 crc16 mbcache jbd2 sd_mod sg ibmvscsi
> scsi_transport_srp ibmveth
> [ 968.074074] CPU: 0 UID: 0 PID: 25422 Comm: mount Kdump: loaded Not
> tainted 6.15.0-rc5-next-20250506 #1 VOLUNTARY
>
> [ 968.074087] NIP: c00800000f7fb5e0 LR: c00800000f7fb3b4 CTR:
> c00000000047862c
> [ 968.074091] REGS: c000000154747920 TRAP: 0300 Not tainted
> (6.15.0-rc5-next-20250506)
> [ 968.074096] MSR: 800000000280b033
> <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 24022882 XER: 00000000
> [ 968.074109] CFAR: c00800000f7fb650 DAR: 0000000000000068 DSISR:
> 40000000 IRQMASK: 0
> [ 968.074109] GPR00: c00800000f7fb3b4 c000000154747bc0
> c0080000099da600 0000000000000000
> [ 968.074109] GPR04: c000000008570c20 7fffffffffffffff
> 0000000000000000 c0000000068e3a00
> [ 968.074109] GPR08: 0000000000000000 0000000000000000
> c0000000068e3a00 0000000000002000
> [ 968.074109] GPR12: c00000000047862c c000000003020000
> 0000000000000000 0000000000000000
> [ 968.074109] GPR16: 0000000000000000 0000000000000000
> 0000000000000000 0000000000000000
> [ 968.074109] GPR20: 0000000000000000 0000000000000000
> 0000000000000000 0000000000000000
> [ 968.074109] GPR24: 0000000000000000 c000000015b00000
> c00000007a38ac00 0000000000000020
> [ 968.074109] GPR28: c000000008560a00 c00000006b1784c0
> 0000000000000000 c000000063147980
> [ 968.074163] NIP [c00800000f7fb5e0]
> btrfs_get_tree_subvol+0x32c/0x544 [btrfs]
> [ 968.074205] LR [c00800000f7fb3b4] btrfs_get_tree_subvol+0x100/0x544
> [btrfs]
> [ 968.074241] Call Trace:
> [ 968.074244] [c000000154747bc0] [c00800000f7fb3b4]
> btrfs_get_tree_subvol+0x100/0x544 [btrfs] (unreliable)
> [ 968.074282] [c000000154747cb0] [c000000000630da4]
> vfs_get_tree+0x48/0x15c
> [ 968.074291] [c000000154747d30] [c00000000067675c]
> do_new_mount+0x234/0x438
> [ 968.074297] [c000000154747da0] [c000000000678298]
> sys_mount+0x164/0x1b0
> [ 968.074303] [c000000154747e10] [c000000000033338]
> system_call_exception+0x138/0x330
> [ 968.074311] [c000000154747e50] [c00000000000d05c]
> system_call_vectored_common+0x15c/0x2ec
> [ 968.074319] ---- interrupt: 3000 at 0x7fff89d4edf4
> [ 968.074323] NIP: 00007fff89d4edf4 LR: 00007fff89d4edf4 CTR:
> 0000000000000000
> [ 968.074328] REGS: c000000154747e80 TRAP: 3000 Not tainted
> (6.15.0-rc5-next-20250506)
> [ 968.074333] MSR: 800000000280f033
> <SF,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE> CR: 44022804 XER: 00000000
> [ 968.074345] IRQMASK: 0
> [ 968.074345] GPR00: 0000000000000015 00007fffc25e41b0
> 00007fff89e37d00 000000015e810710
> [ 968.074345] GPR04: 000000015e810730 000000015e8106f0
> 0000000000000000 000000015e810690
> [ 968.074345] GPR08: 000000015e8106f0 0000000000000000
> 0000000000000000 0000000000000000
> [ 968.074345] GPR12: 0000000000000000 00007fff8a03c140
> 0000000000000000 0000000000000000
> [ 968.074345] GPR16: 0000000000000000 0000000000000000
> 0000000000000000 0000000125d1f298
> [ 968.074345] GPR20: 0000000000000000 0000000000000000
> 000000015e810530 000000015e810730
> [ 968.074345] GPR24: 00007fff89f38e68 00007fff89f38e78
> 00007fff89f3dfe8 00007fff89f60240
> [ 968.074345] GPR28: 000000015e8106f0 0000000000000000
> 000000015e810710 0000000000100000
> [ 968.074396] NIP [00007fff89d4edf4] 0x7fff89d4edf4
> [ 968.074399] LR [00007fff89d4edf4] 0x7fff89d4edf4
> [ 968.074403] ---- interrupt: 3000
> [ 968.074406] Code: 4bffeffd 3920f000 7c234840 7c7e1b78 41810144
> 7c7a1b78 4bfffe30 60000000 813f0088 71290001 41820068 e93d0040
> <e8690068> 38630070 481416e1 e8410018
> [ 968.074425] ---[ end trace 0000000000000000 ]---
> [ 968.076694] pstore: backend (nvram) writing error (-1)
> [ 968.076698]
>
>
Git bisect is pointing first bad commit:
[25efcff06654aa283be379420e8b1f8d344c2f78] btrfs_get_tree_subvol():
switch from fc_mount() to vfs_create_mount().
Upon reverting above commit, issue is not seen. Please help in fixing
this issue.
Bisection log:
git bisect start
# status: waiting for both good and bad commits
# good: [92a09c47464d040866cf2b4cd052bc60555185fb] Linux 6.15-rc5
git bisect good 92a09c47464d040866cf2b4cd052bc60555185fb
# status: waiting for bad commit, 1 good commit known
# bad: [0a00723f4c2d0b273edd0737f236f103164a08eb] Add linux-next
specific files for 20250506
git bisect bad 0a00723f4c2d0b273edd0737f236f103164a08eb
# bad: [d0a7045528df303c86ce87662728ea8ee136c7ef] Merge branch
'nand/next' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux.git
git bisect bad d0a7045528df303c86ce87662728ea8ee136c7ef
# bad: [3acffb16ef28cc1979b42c235fed9c7bf653e815] Merge branch 'fs-next'
of linux-next
git bisect bad 3acffb16ef28cc1979b42c235fed9c7bf653e815
# good: [59e921108839edbbcbce23475596fee455ec4129] Merge branch 'next'
of git://git.kernel.org/pub/scm/linux/kernel/git/geert/renesas-devel.git
git bisect good 59e921108839edbbcbce23475596fee455ec4129
# bad: [28485805726d7960c1d5be4a45d59ea26652f6d2] Merge branch 'master'
of https://github.com/Paragon-Software-Group/linux-ntfs3.git
git bisect bad 28485805726d7960c1d5be4a45d59ea26652f6d2
# bad: [255b0bb00ae27f2adcf054b71f29be50d2e34025] Merge branch
'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux.git
git bisect bad 255b0bb00ae27f2adcf054b71f29be50d2e34025
# good: [456619c2c7107c700321664f79c4e89d19805063] btrfs: simplify
getting and extracting previous transaction at clean_pinned_extents()
git bisect good 456619c2c7107c700321664f79c4e89d19805063
# good: [028156969e9f640e7eee0a98b19c731fd9862f14] bcachefs:
bch2_io_failures_to_text()
git bisect good 028156969e9f640e7eee0a98b19c731fd9862f14
# good: [b3f59e3a42fd075d40a65dbcdf853302db4ba93f] bcachefs: Ensure
proper write alignment
git bisect good b3f59e3a42fd075d40a65dbcdf853302db4ba93f
# good: [8209541b4998a1bcf99c7530e60ce6c9aefd87f8] btrfs: update
lookup_root_entry to to use rb helper
git bisect good 8209541b4998a1bcf99c7530e60ce6c9aefd87f8
# good: [94fa56d94dbca52e07b0f0233257f502ca6d547a] btrfs: scrub: fix a
wrong error type when metadata bytenr mismatches
git bisect good 94fa56d94dbca52e07b0f0233257f502ca6d547a
# bad: [c91d3cff2a3ce3fc0960d8e6bdb69be51f105d67] Merge branch
'misc-next' into for-next-next-v6.15-20250505
git bisect bad c91d3cff2a3ce3fc0960d8e6bdb69be51f105d67
# bad: [25efcff06654aa283be379420e8b1f8d344c2f78]
btrfs_get_tree_subvol(): switch from fc_mount() to vfs_create_mount()
git bisect bad 25efcff06654aa283be379420e8b1f8d344c2f78
# good: [4254b8e069c7fa48106be44f8fcf4cafc264bd14] btrfs: scrub:
aggregate small bitmaps into a larger one
git bisect good 4254b8e069c7fa48106be44f8fcf4cafc264bd14
# first bad commit: [25efcff06654aa283be379420e8b1f8d344c2f78]
btrfs_get_tree_subvol(): switch from fc_mount() to vfs_create_mount()
Regards,
Venkat.
>
> If you happent to fix this, please add below tag.
>
>
> Reported-by: Venkat Rao Bagalkote <venkat88@...ux.ibm.com>
>
>
> Regards,
>
> Venkat.
>
Powered by blists - more mailing lists