BUG: unable to handle kernel paging request at ffffffff82200000 (xlog_recover_buffer_pass2)

From: Vegard Nossum <vegard.nossum@oracle.com>
To: Dave Chinner <david@fromorbit.com>
Cc: xfs@oss.sgi.com
Subject: BUG: unable to handle kernel paging request at ffffffff82200000 (xlog_recover_buffer_pass2)
Date: Wed, 2 Dec 2015 08:42:23 +0100	[thread overview]
Message-ID: <565EA0DF.609@oracle.com> (raw)

[-- Attachment #1: Type: text/plain, Size: 4105 bytes --]

Hi,

Mounting the attached XFS image (fuzzed) gives me the following invalid
memory dereference on latest linus/master:

XFS (vda): Mounting V4 Filesystem
XFS (vda): Starting recovery (logdev: internal)
XFS (vda): log record CRC mismatch: found 0x9f534964, expected 0xd46d59ce.
ffffc90000442000: 00 00 00 01 00 00 00 00 69 01 00 00 e6 33 18 19 
........i....3..
ffffc90000442010: 00 00 00 10 69 00 00 00 4e 41 52 54 2a 00 00 00 
....i...NART*...
XFS (vda): log record CRC mismatch: found 0xedba28e, expected 0x9f019b73.
ffffc90000442000: 00 00 00 01 00 00 00 00 69 01 00 00 5c 47 88 1e 
........i...\G..
ffffc90000442010: 00 00 00 10 69 00 00 00 4e 41 52 54 2a 00 00 00 
....i...NART*...
XFS (vda): log record CRC mismatch: found 0x9f534964, expected 0xd46d59ce.
ffffc9000044a000: 00 00 00 01 00 00 00 00 69 01 00 00 e6 33 18 19 
........i....3..
ffffc9000044a010: 00 00 00 10 69 00 00 00 4e 41 52 54 2a 00 00 00 
....i...NART*...
BUG: unable to handle kernel paging request at ffffffff82200000
IP: [<ffffffff81475616>] memcpy_erms+0x6/0x10
PGD 1e10067 PUD 1e11063 PMD 0
Oops: 0000 [#1] SMP KASAN
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.4.0-rc3+ #245
task: ffff880016e28000 ti: ffff880016e30000 task.ti: ffff880016e30000
RIP: 0010:[<ffffffff81475616>]  [<ffffffff81475616>] memcpy_erms+0x6/0x10
RSP: 0000:ffff880016e377b8  EFLAGS: 00010287
RAX: ffff88001494e380 RBX: 0000000000000027 RCX: ffffffff80285761
RDX: ffffffff81150400 RSI: ffffffff82200000 RDI: ffff88001581901f
RBP: ffff880016e37808 R08: ffff880016429ba8 R09: 0000000000000018
R10: 0000000000000000 R11: 0000000000000000 R12: ffff880016429b90
R13: 0000000000000002 R14: 00000000ff022a08 R15: ffffffff81335361
FS:  0000000000000000(0000) GS:ffff880017200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffff82200000 CR3: 0000000001e0f000 CR4: 00000000001406b0
Stack:
  ffffffff8133eb74 ffff880000079b80 ffff880015bf6e40 ffff880016429ba4
  ffff880000108470 ffff880016429b90 ffff880014c26290 ffff880015bf6e40
  ffff880000108450 ffff880000079b80 ffff880016e37870 ffffffff8133f02a
Call Trace:
  [<ffffffff8133eb74>] ? xlog_recover_do_reg_buffer.isra.23+0x124/0x1b0
  [<ffffffff8133f02a>] xlog_recover_buffer_pass2+0x35a/0x450
  [<ffffffff81340c09>] xlog_recover_commit_pass2+0xe9/0x160
  [<ffffffff81340cbc>] xlog_recover_items_pass2+0x3c/0x60
  [<ffffffff81340ee6>] xlog_recover_commit_trans+0x206/0x230
  [<ffffffff81340f8a>] xlog_recovery_process_trans+0x7a/0xb0
  [<ffffffff8134101e>] xlog_recover_process_ophdr+0x5e/0xc0
  [<ffffffff8134111a>] xlog_recover_process_data+0x9a/0xc0
  [<ffffffff81341580>] xlog_do_recovery_pass+0x440/0x540
  [<ffffffff8115384f>] ? kasan_poison_shadow+0x2f/0x40
  [<ffffffff813416f9>] xlog_do_log_recovery+0x79/0xc0
  [<ffffffff81341751>] xlog_do_recover+0x11/0xe0
  [<ffffffff81342553>] xlog_recover+0xa3/0x140
  [<ffffffff8133718e>] xfs_log_mount+0x24e/0x2c0
  [<ffffffff8132f209>] xfs_mountfs+0x499/0x7d0
  [<ffffffff8132ff91>] ? xfs_mru_cache_create+0x121/0x180
  [<ffffffff81331e2d>] xfs_fs_fill_super+0x38d/0x4a0
  [<ffffffff8115deb5>] mount_bdev+0x185/0x1c0
  [<ffffffff81331aa0>] ? xfs_parseargs+0xaa0/0xaa0
  [<ffffffff81330580>] xfs_fs_mount+0x10/0x20
  [<ffffffff8115e0e4>] mount_fs+0x34/0x160
  [<ffffffff811240b0>] ? __alloc_percpu+0x10/0x20
  [<ffffffff81178a22>] vfs_kern_mount+0x62/0x110
  [<ffffffff81179e6b>] do_mount+0x21b/0xdd0

$ addr2line -e vmlinux -i ffffffff81475616 # memcpy_erms+0x6/0x10
arch/x86/lib/memcpy_64.S:50

$ addr2line -e vmlinux -i ffffffff8133eb74 # 
xlog_recover_do_reg_buffer.isra.23+0x124/0x1b0
fs/xfs/xfs_log_recover.c:2238

$ addr2line -e vmlinux -i ffffffff8133f02a # 
xlog_recover_buffer_pass2+0x35a/0x450
fs/xfs/xfs_log_recover.c:2397

which is this bit:

     memcpy(xfs_buf_offset(bp,
             (uint)bit << XFS_BLF_SHIFT),    /* dest */
             item->ri_buf[i].i_addr,         /* source */
             nbits<<XFS_BLF_SHIFT);          /* length */

Because of the memory corruption the bug manifests in different ways,
but the stacktrace above is by far the most common.

I can test patches. Thanks,

Vegard

[-- Attachment #2: xfs.0.bz2 --]
[-- Type: application/x-bzip, Size: 5673 bytes --]

[-- Attachment #3: Type: text/plain, Size: 121 bytes --]

_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs