Btrfs devel - Dec 2008 - PROBLEM: oops on attempt to mount badly formed filesystem

Chris:

I can consistently generate oopses (null pointer dereferenced) when 
attempting to mount a badly formed multi-device filesystem using kernels 
built from the current btrfs-unstable.  "Badly formed" means that mkfs
was given six legitimate device names and one non-existent device name 
as arguments.  mkfs reported an error for the non-existent device, but 
apparently left a damaged btrfs filesystem behind.  This bug is easily 
reproduced - simply attempt to mkfs with a non-existent device name, and 
then attempt to mount (example below with the oops).

Once the oops occurs, the system remains responsive, but must be reset 
to reboot.  I''ve also noted that btrfs-show reports four devices for
the
badly formed filesystem in this example and then proceeds to list 
details for six devices.

The system is a dual socket, quad core Intel machine with an attached 
hardware RAID controller.  The latter supplies six single disk volumes 
used for the filesystem in this test.

Particulars follow - please let me know if you''d like more information,
etc.

Thanks,
Eric


Commit:
c99e905c945c462085c6d64646dc5af0c0a16815

uname -a:
Linux bl460cb 2.6.28-rc5-btrfs-unstable #1 SMP Wed Dec 3 11:08:13 EST 
2008 x86_64 GNU/Linux

oops as taken from the console, including mkfs and mount commands preceding:

root@bl460cb:~# mkfs.btrfs /dev/cciss/c1d0 /dev/cciss/c1d1 
/dev/cciss/c1d2 /dev/cciss/c1d3 /dev/cciss/c1d4 /dev/cciss/c1d5 
/dev/cciss/c1d6
adding device /dev/cciss/c1d1 id 2
adding device /dev/cciss/c1d2 id 3
adding device /dev/cciss/c1d3 id 4
adding device /dev/cciss/c1d4 id 5
adding device /dev/cciss/c1d5 id 6
error checking /dev/cciss/c1d6 mount status
root@bl460cb:~# mount /dev/cciss/c1d5 /mnt
[  158.264455] BUG: unable to handle kernel NULL pointer dereference at 
0000000000000300
[  158.268996] IP: [<ffffffff802e34a7>] bio_get_nr_vecs+0x7/0x40
[  158.274050] PGD 8215de067 PUD 827dfb067 PMD 0
[  158.274206] Oops: 0000 [#1] SMP
[  158.274206] last sysfs file: /sys/block/loop7/removable
[  158.274206] CPU 4
[  158.274206] Modules linked in: iptable_filter ip_tables x_tables 
parport_pc lp parport loop ipmi_devintf ipmi_si iTCO_wdt 
iTCO_vendor_support ipv6 ipmi_msghandler pcspkr serio_raw i5000_edac 
edac_core psmouse container shpchp button pci_hotplug evdev ext3 jbd 
mbcache usbhid hid ehci_hcd uhci_hcd bnx2 usbcore cciss scsi_mod thermal 
processor fan thermal_sys fuse
[  158.274206] Pid: 5188, comm: mount Not tainted 
2.6.28-rc5-btrfs-unstable #1
[  158.274206] RIP: 0010:[<ffffffff802e34a7>]  [<ffffffff802e34a7>] 
bio_get_nr_vecs+0x7/0x40
[  158.274206] RSP: 0018:ffff880823d5ba10  EFLAGS: 00010246
[  158.274206] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 
0000000000002028
[  158.274206] RDX: ffffffff80354620 RSI: ffff88082a448038 RDI: 
ffff88082c797000
[  158.274206] RBP: 0000000000000000 R08: 0000000000001000 R09: 
0000000000000000
[  158.274206] R10: 0000000000000000 R11: 0000000000000000 R12: 
ffff880823d5bbd8
[  158.274206] R13: 0000000000000100 R14: 0000000000000000 R15: 
0000000000002028
[  158.274206] FS:  00007f701db2a780(0000) GS:ffff88082c862900(0000) 
knlGS:0000000000000000
[  158.274206] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[  158.274206] CR2: 0000000000000300 CR3: 0000000827ddf000 CR4: 
00000000000006e0
[  158.274206] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 
0000000000000000
[  158.274206] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 
0000000000000400
[  158.274206] Process mount (pid: 5188, threadinfo ffff880823d5a000, 
task ffff88081f95be80)
[  158.274206] Stack:
[  158.274206]  ffffffff80350cf2 0000000000405000 0000000000405fff 
ffffffff80354620
[  158.274206]  ffff88082c797000 0000000000000000 ffffe2001c88eac0 
ffff88082a448038
[  158.274206]  0000000000000000 0000000000001000 ffff88082a417058 
0000000000405000
[  158.274206] Call Trace:
[  158.274206]  [<ffffffff80350cf2>] submit_extent_page+0x222/0x2c0
[  158.274206]  [<ffffffff80354620>] end_bio_extent_readpage+0x0/0x1d0
[  158.274206]  [<ffffffff80351e37>] __extent_read_full_page+0x2e7/0x6a0
[  158.274206]  [<ffffffff80354620>] end_bio_extent_readpage+0x0/0x1d0
[  158.274206]  [<ffffffff803356f0>] btree_get_extent+0x0/0x1f0
[  158.274206]  [<ffffffff8035384e>] read_extent_buffer_pages+0x1be/0x3e0
[  158.274206]  [<ffffffff803356f0>] btree_get_extent+0x0/0x1f0
[  158.274206]  [<ffffffff803337e0>] 
btree_read_extent_buffer_pages+0x50/0xc0
[  158.274206]  [<ffffffff80333b15>] read_tree_block+0x35/0x70
[  158.274206]  [<ffffffff8033711b>] open_ctree+0xb9b/0xed0
[  158.274206]  [<ffffffff802bf306>] sget+0x396/0x3f0
[  158.274206]  [<ffffffff802bfdf0>] set_anon_super+0x0/0xc0
[  158.274206]  [<ffffffff8031aedc>] btrfs_get_sb+0x35c/0x4a0
[  158.274206]  [<ffffffff80295794>] kstrdup+0x54/0x120
[  158.274206]  [<ffffffff802bf8c8>] vfs_kern_mount+0x78/0x160
[  158.274206]  [<ffffffff802bfa13>] do_kern_mount+0x53/0x110
[  158.274206]  [<ffffffff802d53b2>] do_mount+0x542/0x810
[  158.274206]  [<ffffffff802d571b>] sys_mount+0x9b/0x100
[  158.274206]  [<ffffffff8020c1eb>] system_call_fastpath+0x16/0x1b
[  158.274206] Code: 83 c4 18 4c 89 f7 5b 5d 41 5c 41 5d 41 5e 41 5f e9 
af e9 ff ff 66 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 48 8b 87 98 00 
00 00 <48> 8b 88 00 03 00 00 8b 81 cc 02 00 00 0f b7 91 d6 02 00 00 0f
[  158.274206] RIP  [<ffffffff802e34a7>] bio_get_nr_vecs+0x7/0x40
[  158.274206]  RSP <ffff880823d5ba10>
[  158.274206] CR2: 0000000000000300
[  158.430189] ---[ end trace dcfa48815a956024 ]---
Killed
root@bl460cb:~#


btrfs-show taken after the oops:

Label: none  uuid: 3a0bde17-9d1f-46f8-9657-34f37016e707
	Total devices 4 FS bytes used 20.00KB
	devid    4 size 68.33GB used 0.00 path /dev/cciss/c1d3
	devid    2 size 68.33GB used 0.00 path /dev/cciss/c1d1
	devid    5 size 68.33GB used 0.00 path /dev/cciss/c1d4
	devid    1 size 68.33GB used 20.00MB path /dev/cciss/c1d0
	devid    6 size 68.33GB used 0.00 path /dev/cciss/c1d5
	devid    3 size 68.33GB used 0.00 path /dev/cciss/c1d2

Btrfs v0.16-25-gd45ee76

--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs"
in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

On Fri, Dec 5, 2008 at 10:21 PM, Eric Whitney <eric.whitney@hp.com>
wrote:
> Chris:
>
> I can consistently generate oopses (null pointer dereferenced) when
> attempting to mount a badly formed multi-device filesystem using kernels
> built from the current btrfs-unstable.  "Badly formed" means that
mkfs was
I can also confirm this oops, in a very simple setup (no raid ).

(Note - In example below, /dev/sdb5 doesn''t exist).

[root@f10-vm1 ~]# /home/niraj/btrfs/bin/mkfs.btrfs /dev/sdb2 /dev/sdb5
error checking /dev/sdb5 mount status
[root@f10-vm1 ~]# echo $?
1
[root@f10-vm1 ~]# mount -t btrfs /dev/sdb2 /f2

This mount attempt results in this oops:

------------[ cut here ]------------
kernel BUG at fs/btrfs/disk-io.c:913!
invalid opcode: 0000 [#1] SMP
last sysfs file: /sys/devices/virtual/misc/btrfs-control/dev
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in: btrfs zlib_deflate libcrc32c fuse sco bridge stp
bnep l2cap bluetooth sunrpc ip6t_REJECT nf_conntrack_ipv6
ip6table_filter ip6_tables ipv6 dm_multipath uinput pcspkr pcnet32 mii
ata_generic pata_acpi [last unloaded: microcode]

Pid: 2426, comm: mount Tainted: G        W  (2.6.28-rc5 #9) VirtualBox
EIP: 0060:[<e0986491>] EFLAGS: 00210202 CPU: 0
EIP is at find_and_setup_root+0x58/0xac [btrfs]
EAX: 00000001 EBX: debc1060 ECX: e0975983 EDX: c04969ed
ESI: debc1060 EDI: d8569060 EBP: de81ad9c ESP: de81ad8c
 DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0069
Process mount (pid: 2426, ti=de81a000 task=def053c0 task.ti=de81a000)
Stack:
 00001000 d8569060 debc1060 df1f0000 de81add8 e0986567 fffffff7 ffffffff
 d8569060 df1f1a5c de81adfb d8569060 c06e5618 c06e5633 a03eb7e3 a03eb800
 00000000 df1f0000 df1f0038 de81adf0 e098675a de81adfb df1f1ce4 df1f1ce4
Call Trace:
 [<e0986567>] ? btrfs_read_fs_root_no_radix+0x55/0x1d4 [btrfs]
 [<c06e5618>] ? __mutex_unlock_slowpath+0xf2/0x105
 [<c06e5633>] ? mutex_unlock+0x8/0xa
 [<e098675a>] ? btrfs_read_fs_root_no_name+0x74/0xec [btrfs]
 [<e098132f>] ? btrfs_cleanup_reloc_trees+0xa9/0xc0 [btrfs]
 [<e0988e12>] ? open_ctree+0xc40/0xdb4 [btrfs]
 [<c052f65b>] ? strlcpy+0x17/0x48
 [<e0974871>] ? btrfs_get_sb+0x201/0x3ec [btrfs]
 [<c04800aa>] ? kstrdup+0x2a/0x4c
 [<c049c152>] ? vfs_kern_mount+0x81/0xf3
 [<c049c4aa>] ? do_kern_mount+0x32/0xb3
 [<c04ac7a8>] ? do_mount+0x5f2/0x62c
 [<c053441c>] ? _raw_spin_lock+0x53/0xdd
 [<c04ac846>] ? sys_mount+0x64/0x9b
 [<c0403b96>] ? syscall_call+0x7/0xb
Code: 57 ff b3 94 02 00 00 e8 84 fd ff ff 8b 55 08 8d 87 2b 01 00 00
8b 4d 0c 50 8d 47 64 50 89 d8 e8 19 d2 ff ff 83 c4 1c 85 c0 74 04 <0f>
0b eb fe 80 bf 2a 01 00 00 00 8b 9f dc 00 00 00 8b b7 e0 00
EIP: [<e0986491>] find_and_setup_root+0x58/0xac [btrfs] SS:ESP
0069:de81ad8c
---[ end trace 4eaa2a86a8e2da22 ]---
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs"
in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html