BUG: kernel NULL pointer dereference when using zstd

BUG: kernel NULL pointer dereference when using zstd

[Daniel Martinez]

[-- Attachment #1: Type: text/plain, Size: 736 bytes --]

Hello,

I have encountered a bug when using zstd compression (I assume that's
what caused it, but I could be wrong) on the Debian kernel 5.7.10-1.

Not sure if its relevant, but I may be hitting some corner case here,
so my full storage stack is:
Windows 10 -> VMware workstation full drive passthrough -> btrfs x2 -> mergerfs

In btrfs, I have 2 arrays that are merged into one using mergerfs.
(The use case here is to have different RAID profiles for different
data in arbitrary locations):
3x8tb + 1x2tb in RAID1 meta+data -  rw,noatime,space_cache=v2,autodefrag
1x2tb in Single data + DUP metadata -
rw,noatime,space_cache,autodefrag,compress=zstd (this one is also
using xxhash instead of CRC32)

Syslog attached.

Thanks,
Daniel.

[-- Attachment #2: btrfs_bug_compress_zstd.log --]
[-- Type: application/octet-stream, Size: 12036 bytes --]

Aug 19 02:28:10 localhost kernel: [17722.005039] BUG: kernel NULL pointer dereference, address: 0000000000000000
Aug 19 02:28:10 localhost kernel: [17722.005057] #PF: supervisor read access in kernel mode
Aug 19 02:28:10 localhost kernel: [17722.005066] #PF: error_code(0x0000) - not-present page
Aug 19 02:28:10 localhost kernel: [17722.005075] PGD 0 P4D 0 
Aug 19 02:28:10 localhost kernel: [17722.005081] Oops: 0000 [#1] SMP NOPTI
Aug 19 02:28:10 localhost kernel: [17722.005088] CPU: 0 PID: 296332 Comm: kworker/u256:5 Not tainted 5.7.0-2-amd64 #1 Debian 5.7.10-1
Aug 19 02:28:10 localhost kernel: [17722.005103] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/29/2019
Aug 19 02:28:10 localhost kernel: [17722.005140] Workqueue: btrfs-delalloc btrfs_work_helper [btrfs]
Aug 19 02:28:10 localhost kernel: [17722.005181] RIP: 0010:compress_file_range+0x751/0x830 [btrfs]
Aug 19 02:28:10 localhost kernel: [17722.005200] Code: db 41 83 c9 0f e8 3f bf 01 00 31 c0 48 83 7c 24 50 00 4c 8b 1c 24 74 69 4c 89 dd eb 0d 83 c3 01 48 63 c3 48 3b 44 24 50 73 54 <48> 8b 7c c5 00 48 83 7f 18 00 75 5b 48 8b 47 08 48 8d 50 ff a8 01
Aug 19 02:28:10 localhost kernel: [17722.005241] RSP: 0018:ffffa58a42c5fd68 EFLAGS: 00010202
Aug 19 02:28:10 localhost kernel: [17722.005267] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffd684c1898287
Aug 19 02:28:10 localhost kernel: [17722.005282] RDX: 0000000000000000 RSI: 0000000000000202 RDI: ffffd684c8efe840
Aug 19 02:28:10 localhost kernel: [17722.005297] RBP: 0000000000000000 R08: ffffffff85407038 R09: 00000000000002d6
Aug 19 02:28:10 localhost kernel: [17722.005312] R10: 0000000002eb6182 R11: 0000000000000000 R12: 0000000000001000
Aug 19 02:28:10 localhost kernel: [17722.005328] R13: 0000000000000000 R14: 0000000000000fff R15: 0000000000000000
Aug 19 02:28:10 localhost kernel: [17722.005344] FS:  0000000000000000(0000) GS:ffff8ebf62a00000(0000) knlGS:0000000000000000
Aug 19 02:28:10 localhost kernel: [17722.005366] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Aug 19 02:28:10 localhost kernel: [17722.005382] CR2: 0000000000000000 CR3: 0000000252d20003 CR4: 00000000003606f0
Aug 19 02:28:10 localhost kernel: [17722.005700] Call Trace:
Aug 19 02:28:10 localhost kernel: [17722.006030]  ? submit_compressed_extents+0x430/0x430 [btrfs]
Aug 19 02:28:10 localhost kernel: [17722.006329]  async_cow_start+0x12/0x30 [btrfs]
Aug 19 02:28:10 localhost kernel: [17722.006650]  btrfs_work_helper+0xc2/0x3b0 [btrfs]
Aug 19 02:28:10 localhost kernel: [17722.006942]  ? __schedule+0x2e2/0x770
Aug 19 02:28:10 localhost kernel: [17722.007250]  process_one_work+0x1b4/0x380
Aug 19 02:28:10 localhost kernel: [17722.007532]  worker_thread+0x50/0x3c0
Aug 19 02:28:10 localhost kernel: [17722.007806]  kthread+0xf9/0x130
Aug 19 02:28:10 localhost kernel: [17722.008096]  ? process_one_work+0x380/0x380
Aug 19 02:28:10 localhost kernel: [17722.008363]  ? kthread_park+0x90/0x90
Aug 19 02:28:10 localhost kernel: [17722.008640]  ret_from_fork+0x1f/0x40
Aug 19 02:28:10 localhost kernel: [17722.008899] Modules linked in: ipt_REJECT nf_reject_ipv4 xt_multiport xt_nat xt_tcpudp veth nf_conntrack_netlink xfrm_user xfrm_algo xt_addrtype br_netfilter bridge stp llc overlay wireguard curve25519_x86_64 libcurve25519_generic libchacha20poly1305 chacha_x86_64 poly1305_x86_64 ip6_udp_tunnel udp_tunnel libblake2s blake2s_x86_64 libblake2s_generic libchacha tun rfkill nft_chain_nat xt_state nft_counter xt_MASQUERADE nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nft_compat nf_tables nfnetlink vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock fuse intel_rapl_msr intel_rapl_common ghash_clmulni_intel xxhash_generic aesni_intel libaes crypto_simd cryptd glue_helper rapl vmw_balloon pcspkr joydev serio_raw vmw_vmci sg squashfs ac evdev loop parport_pc ppdev lp nfsd parport auth_rpcgss nfs_acl lockd grace sunrpc ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 btrfs blake2b_generic xor zstd_decompress zstd_compress raid6_pq libcrc32c
Aug 19 02:28:10 localhost kernel: [17722.008921]  crc32c_generic hid_generic usbhid hid sd_mod t10_pi crc_t10dif crct10dif_generic sr_mod cdrom ata_generic vmwgfx ttm drm_kms_helper xhci_pci uhci_hcd ahci ata_piix libahci libata xhci_hcd mptspi mptscsih mptbase crct10dif_pclmul crct10dif_common scsi_transport_spi crc32_pclmul crc32c_intel scsi_mod psmouse cec ehci_pci ehci_hcd drm i2c_piix4 usbcore vmxnet3 usb_common button
Aug 19 02:28:10 localhost kernel: [17722.015954] CR2: 0000000000000000
Aug 19 02:28:10 localhost kernel: [17722.016456] ---[ end trace 539d173251a17c50 ]---
Aug 19 02:28:10 localhost kernel: [17722.017048] RIP: 0010:compress_file_range+0x751/0x830 [btrfs]
Aug 19 02:28:10 localhost kernel: [17722.017605] Code: db 41 83 c9 0f e8 3f bf 01 00 31 c0 48 83 7c 24 50 00 4c 8b 1c 24 74 69 4c 89 dd eb 0d 83 c3 01 48 63 c3 48 3b 44 24 50 73 54 <48> 8b 7c c5 00 48 83 7f 18 00 75 5b 48 8b 47 08 48 8d 50 ff a8 01
Aug 19 02:28:10 localhost kernel: [17722.019297] RSP: 0018:ffffa58a42c5fd68 EFLAGS: 00010202
Aug 19 02:28:10 localhost kernel: [17722.019839] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffd684c1898287
Aug 19 02:28:10 localhost kernel: [17722.020391] RDX: 0000000000000000 RSI: 0000000000000202 RDI: ffffd684c8efe840
Aug 19 02:28:10 localhost kernel: [17722.021022] RBP: 0000000000000000 R08: ffffffff85407038 R09: 00000000000002d6
Aug 19 02:28:10 localhost kernel: [17722.021444] R10: 0000000002eb6182 R11: 0000000000000000 R12: 0000000000001000
Aug 19 02:28:10 localhost kernel: [17722.021881] R13: 0000000000000000 R14: 0000000000000fff R15: 0000000000000000
Aug 19 02:28:10 localhost kernel: [17722.022259] FS:  0000000000000000(0000) GS:ffff8ebf62a00000(0000) knlGS:0000000000000000
Aug 19 02:28:10 localhost kernel: [17722.022612] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Aug 19 02:28:10 localhost kernel: [17722.023026] CR2: 0000000000000000 CR3: 0000000252d20003 CR4: 00000000003606f0
Aug 19 02:28:25 localhost kernel: [17737.094399] BUG: kernel NULL pointer dereference, address: 0000000000000000
Aug 19 02:28:25 localhost kernel: [17737.094740] #PF: supervisor read access in kernel mode
Aug 19 02:28:25 localhost kernel: [17737.095170] #PF: error_code(0x0000) - not-present page
Aug 19 02:28:25 localhost kernel: [17737.095561] PGD 0 P4D 0 
Aug 19 02:28:25 localhost kernel: [17737.095960] Oops: 0000 [#2] SMP NOPTI
Aug 19 02:28:25 localhost kernel: [17737.096323] CPU: 0 PID: 378682 Comm: kworker/u256:4 Tainted: G      D           5.7.0-2-amd64 #1 Debian 5.7.10-1
Aug 19 02:28:25 localhost kernel: [17737.097060] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/29/2019
Aug 19 02:28:25 localhost kernel: [17737.097837] Workqueue: btrfs-delalloc btrfs_work_helper [btrfs]
Aug 19 02:28:25 localhost kernel: [17737.098220] RIP: 0010:compress_file_range+0x751/0x830 [btrfs]
Aug 19 02:28:25 localhost kernel: [17737.098585] Code: db 41 83 c9 0f e8 3f bf 01 00 31 c0 48 83 7c 24 50 00 4c 8b 1c 24 74 69 4c 89 dd eb 0d 83 c3 01 48 63 c3 48 3b 44 24 50 73 54 <48> 8b 7c c5 00 48 83 7f 18 00 75 5b 48 8b 47 08 48 8d 50 ff a8 01
Aug 19 02:28:25 localhost kernel: [17737.099764] RSP: 0018:ffffa58a42ea7d68 EFLAGS: 00010202
Aug 19 02:28:25 localhost kernel: [17737.100131] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffd684c9983ac7
Aug 19 02:28:25 localhost kernel: [17737.100500] RDX: 0000000000000000 RSI: 0000000000000206 RDI: ffffd684c8745fc0
Aug 19 02:28:25 localhost kernel: [17737.100850] RBP: 0000000000000000 R08: ffffffff854071b8 R09: 0000000000000348
Aug 19 02:28:25 localhost kernel: [17737.101239] R10: 0000000000000131 R11: 0000000000000000 R12: 0000000000001000
Aug 19 02:28:25 localhost kernel: [17737.101578] R13: 0000000000000000 R14: 0000000000000fff R15: 0000000000000000
Aug 19 02:28:25 localhost kernel: [17737.101897] FS:  0000000000000000(0000) GS:ffff8ebf62a00000(0000) knlGS:0000000000000000
Aug 19 02:28:25 localhost kernel: [17737.102218] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Aug 19 02:28:25 localhost kernel: [17737.102650] CR2: 0000000000000000 CR3: 0000000101e54001 CR4: 00000000003606f0
Aug 19 02:28:25 localhost kernel: [17737.103099] Call Trace:
Aug 19 02:28:25 localhost kernel: [17737.103429]  ? submit_compressed_extents+0x430/0x430 [btrfs]
Aug 19 02:28:25 localhost kernel: [17737.103844]  async_cow_start+0x12/0x30 [btrfs]
Aug 19 02:28:25 localhost kernel: [17737.104176]  btrfs_work_helper+0xc2/0x3b0 [btrfs]
Aug 19 02:28:25 localhost kernel: [17737.104514]  ? __schedule+0x2e2/0x770
Aug 19 02:28:25 localhost kernel: [17737.104868]  process_one_work+0x1b4/0x380
Aug 19 02:28:25 localhost kernel: [17737.105158]  worker_thread+0x50/0x3c0
Aug 19 02:28:25 localhost kernel: [17737.105473]  kthread+0xf9/0x130
Aug 19 02:28:25 localhost kernel: [17737.105823]  ? process_one_work+0x380/0x380
Aug 19 02:28:25 localhost kernel: [17737.106139]  ? kthread_park+0x90/0x90
Aug 19 02:28:25 localhost kernel: [17737.106406]  ret_from_fork+0x1f/0x40
Aug 19 02:28:25 localhost kernel: [17737.106720] Modules linked in: ipt_REJECT nf_reject_ipv4 xt_multiport xt_nat xt_tcpudp veth nf_conntrack_netlink xfrm_user xfrm_algo xt_addrtype br_netfilter bridge stp llc overlay wireguard curve25519_x86_64 libcurve25519_generic libchacha20poly1305 chacha_x86_64 poly1305_x86_64 ip6_udp_tunnel udp_tunnel libblake2s blake2s_x86_64 libblake2s_generic libchacha tun rfkill nft_chain_nat xt_state nft_counter xt_MASQUERADE nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nft_compat nf_tables nfnetlink vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock fuse intel_rapl_msr intel_rapl_common ghash_clmulni_intel xxhash_generic aesni_intel libaes crypto_simd cryptd glue_helper rapl vmw_balloon pcspkr joydev serio_raw vmw_vmci sg squashfs ac evdev loop parport_pc ppdev lp nfsd parport auth_rpcgss nfs_acl lockd grace sunrpc ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 btrfs blake2b_generic xor zstd_decompress zstd_compress raid6_pq libcrc32c
Aug 19 02:28:25 localhost kernel: [17737.106742]  crc32c_generic hid_generic usbhid hid sd_mod t10_pi crc_t10dif crct10dif_generic sr_mod cdrom ata_generic vmwgfx ttm drm_kms_helper xhci_pci uhci_hcd ahci ata_piix libahci libata xhci_hcd mptspi mptscsih mptbase crct10dif_pclmul crct10dif_common scsi_transport_spi crc32_pclmul crc32c_intel scsi_mod psmouse cec ehci_pci ehci_hcd drm i2c_piix4 usbcore vmxnet3 usb_common button
Aug 19 02:28:25 localhost kernel: [17737.111562] CR2: 0000000000000000
Aug 19 02:28:25 localhost kernel: [17737.111949] ---[ end trace 539d173251a17c51 ]---
Aug 19 02:28:25 localhost kernel: [17737.112434] RIP: 0010:compress_file_range+0x751/0x830 [btrfs]
Aug 19 02:28:25 localhost kernel: [17737.112858] Code: db 41 83 c9 0f e8 3f bf 01 00 31 c0 48 83 7c 24 50 00 4c 8b 1c 24 74 69 4c 89 dd eb 0d 83 c3 01 48 63 c3 48 3b 44 24 50 73 54 <48> 8b 7c c5 00 48 83 7f 18 00 75 5b 48 8b 47 08 48 8d 50 ff a8 01
Aug 19 02:28:25 localhost kernel: [17737.113951] RSP: 0018:ffffa58a42c5fd68 EFLAGS: 00010202
Aug 19 02:28:25 localhost kernel: [17737.114330] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffd684c1898287
Aug 19 02:28:25 localhost kernel: [17737.114778] RDX: 0000000000000000 RSI: 0000000000000202 RDI: ffffd684c8efe840
Aug 19 02:28:25 localhost kernel: [17737.115170] RBP: 0000000000000000 R08: ffffffff85407038 R09: 00000000000002d6
Aug 19 02:28:25 localhost kernel: [17737.115562] R10: 0000000002eb6182 R11: 0000000000000000 R12: 0000000000001000
Aug 19 02:28:25 localhost kernel: [17737.115958] R13: 0000000000000000 R14: 0000000000000fff R15: 0000000000000000
Aug 19 02:28:25 localhost kernel: [17737.116396] FS:  0000000000000000(0000) GS:ffff8ebf62a00000(0000) knlGS:0000000000000000
Aug 19 02:28:25 localhost kernel: [17737.116801] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Aug 19 02:28:25 localhost kernel: [17737.117174] CR2: 0000000000000000 CR3: 0000000101e54001 CR4: 00000000003606f0

Re: BUG: kernel NULL pointer dereference when using zstd

[Qu Wenruo]

[-- Attachment #1.1: Type: text/plain, Size: 1159 bytes --]



On 2020/8/20 上午7:14, Daniel Martinez wrote:
> Hello,
> 
> I have encountered a bug when using zstd compression (I assume that's
> what caused it, but I could be wrong) on the Debian kernel 5.7.10-1.

It's not zstd I guess, but a generic compression bug.

It's fixed by the upstream commit 1e6e238c3002 ("btrfs: inode: fix NULL
pointer dereference if inode doesn't need compression").

It's not yet merged into v5.7.y stable branch, I guess I need to
backport it manually then.

Thanks,
Qu
> 
> Not sure if its relevant, but I may be hitting some corner case here,
> so my full storage stack is:
> Windows 10 -> VMware workstation full drive passthrough -> btrfs x2 -> mergerfs
> 
> In btrfs, I have 2 arrays that are merged into one using mergerfs.
> (The use case here is to have different RAID profiles for different
> data in arbitrary locations):
> 3x8tb + 1x2tb in RAID1 meta+data -  rw,noatime,space_cache=v2,autodefrag
> 1x2tb in Single data + DUP metadata -
> rw,noatime,space_cache,autodefrag,compress=zstd (this one is also
> using xxhash instead of CRC32)
> 
> Syslog attached.
> 
> Thanks,
> Daniel.
> 


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: BUG: kernel NULL pointer dereference when using zstd

[David Sterba]

On Thu, Aug 20, 2020 at 07:31:15AM +0800, Qu Wenruo wrote:
> 
> 
> On 2020/8/20 上午7:14, Daniel Martinez wrote:
> > Hello,
> > 
> > I have encountered a bug when using zstd compression (I assume that's
> > what caused it, but I could be wrong) on the Debian kernel 5.7.10-1.
> 
> It's not zstd I guess, but a generic compression bug.
> 
> It's fixed by the upstream commit 1e6e238c3002 ("btrfs: inode: fix NULL
> pointer dereference if inode doesn't need compression").
> 
> It's not yet merged into v5.7.y stable branch, I guess I need to
> backport it manually then.

The commit is in 5.4, 5.7 and 5.8 queue, so the next stable release will
have it.