Re: [BUG] NULL pointer dereference in udf_sb_free_partitions
From: Jan Kara
Date: Mon Jan 14 2013 - 10:18:30 EST
On Mon 14-01-13 14:19:39, Namjae Jeon wrote:
> 2013/1/13, James Hogan <james@xxxxxxxxxxxxx>:
> > Hi,
> >
> > I've encountered a reproducable kernel bug which makes the screen switch
> > to a console and display the kernel log below. This is what I did:
> >
> > * Insert a particular DVD-R I have which appears to be corrupt. It then
> > makes the DVD drive make some unpleasant noises (my TV also makes
> > unpleasant noises when it's inserted).
> >
> > * I go to mount it in KDE, it continues making noises and outputs some
> > of the errors in the kernel log below (things like Mechanical
> > positioning error, which makes sense since it's making unusual
> > noises)..
> >
> > * After a while it says the mount failed.
> >
> > * After a while I typed the eject command, and pressed eject button
> >
> > * After a while longer the DVD is eventually ejected and at that point
> > the kernel log is displayed on screen.
> >
> > * I can use VT switch to get back to desktop. i tried running sync as I
> > wanted the log to be saved, but it never returned, although most other
> > things seemed to continue working. Rebooted fine.
> >
> > First observed on v3.7 vanilla kernel (tried twice, happened both
> > times), now running v3.8-rc3 and it happened when I tried it again.
> >
> > I haven't tried debugging it any further, but am happy to provide more
> > info as required or test patches.
> >
> > Cheers
> > James
> >
> >
> > (told it to mount)
> >
> > [ 1300.219641] sr 8:0:0:0: [sr0] Unhandled sense code
> > [ 1300.219652] sr 8:0:0:0: [sr0]
> > [ 1300.219658] Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
> > [ 1300.219664] sr 8:0:0:0: [sr0]
> > [ 1300.219668] Sense Key : Hardware Error [current]
> > [ 1300.219675] Info fld=0x119368
> > [ 1300.219680] sr 8:0:0:0: [sr0]
> > [ 1300.219686] Add. Sense: Mechanical positioning error
> > [ 1300.219692] sr 8:0:0:0: [sr0] CDB:
> > [ 1300.219695] Read(10): 28 00 00 11 93 68 00 00 01 00
> > [ 1300.219711] end_request: I/O error, dev sr0, sector 4607392
> > [ 1300.219766] UDF-fs: error (device sr0): udf_read_tagged: read failed,
> > block=1151848, location=1151576
> > [ 1300.219780] UDF-fs: error (device sr0): __udf_read_inode: (ino 1151848)
> > failed !bh
> > [ 1310.294257] sr 8:0:0:0: [sr0] Unhandled sense code
> > [ 1310.294268] sr 8:0:0:0: [sr0]
> > [ 1310.294274] Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
> > [ 1310.294279] sr 8:0:0:0: [sr0]
> > [ 1310.294283] Sense Key : Hardware Error [current]
> > [ 1310.294289] Info fld=0x119367
> > [ 1310.294294] sr 8:0:0:0: [sr0]
> > [ 1310.294300] Add. Sense: Mechanical positioning error
> > [ 1310.294305] sr 8:0:0:0: [sr0] CDB:
> > [ 1310.294308] Read(10): 28 00 00 11 93 67 00 00 01 00
> > [ 1310.294324] end_request: I/O error, dev sr0, sector 4607388
> > [ 1310.294388] UDF-fs: error (device sr0): udf_read_tagged: read failed,
> > block=1151847, location=1151575
> > [ 1310.294400] UDF-fs: error (device sr0): __udf_read_inode: (ino 1151847)
> > failed !bh
> > [ 1320.324070] sr 8:0:0:0: [sr0] Unhandled sense code
> > [ 1320.324081] sr 8:0:0:0: [sr0]
> > [ 1320.324087] Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
> > [ 1320.324093] sr 8:0:0:0: [sr0]
> > [ 1320.324097] Sense Key : Hardware Error [current]
> > [ 1320.324104] Info fld=0x119366
> > [ 1320.324109] sr 8:0:0:0: [sr0]
> > [ 1320.324115] Add. Sense: Mechanical positioning error
> > [ 1320.324121] sr 8:0:0:0: [sr0] CDB:
> > [ 1320.324124] Read(10): 28 00 00 11 93 66 00 00 01 00
> > [ 1320.324140] end_request: I/O error, dev sr0, sector 4607384
> > [ 1320.324195] UDF-fs: error (device sr0): udf_read_tagged: read failed,
> > block=1151846, location=1151574
> > [ 1320.324208] UDF-fs: error (device sr0): __udf_read_inode: (ino 1151846)
> > failed !bh
> > [ 1330.432689] sr 8:0:0:0: [sr0] Unhandled sense code
> > [ 1330.432701] sr 8:0:0:0: [sr0]
> > [ 1330.432706] Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
> > [ 1330.432712] sr 8:0:0:0: [sr0]
> > [ 1330.432716] Sense Key : Hardware Error [current]
> > [ 1330.432722] Info fld=0x119365
> > [ 1330.432728] sr 8:0:0:0: [sr0]
> > [ 1330.432733] Add. Sense: Mechanical positioning error
> > [ 1330.432739] sr 8:0:0:0: [sr0] CDB:
> > [ 1330.432742] Read(10): 28 00 00 11 93 65 00 00 01 00
> > [ 1330.432758] end_request: I/O error, dev sr0, sector 4607380
> > [ 1330.432814] UDF-fs: error (device sr0): udf_read_tagged: read failed,
> > block=1151845, location=1151573
> > [ 1330.432827] UDF-fs: error (device sr0): __udf_read_inode: (ino 1151845)
> > failed !bh
> > [ 1330.432842] UDF-fs: Failed to read VAT inode from the last recorded block
> > (1151848), retrying with the last block of the device (2295103).
> > [ 1340.483225] sr 8:0:0:0: [sr0] Unhandled sense code
> > [ 1340.483237] sr 8:0:0:0: [sr0]
> > [ 1340.483242] Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
> > [ 1340.483247] sr 8:0:0:0: [sr0]
> > [ 1340.483251] Sense Key : Hardware Error [current]
> > [ 1340.483257] Info fld=0x23053f
> > [ 1340.483263] sr 8:0:0:0: [sr0]
> > [ 1340.483268] Add. Sense: Mechanical positioning error
> > [ 1340.483273] sr 8:0:0:0: [sr0] CDB:
> > [ 1340.483276] Read(10): 28 00 00 23 05 3f 00 00 01 00
> > [ 1340.483292] end_request: I/O error, dev sr0, sector 9180412
> > [ 1340.483373] UDF-fs: error (device sr0): udf_read_tagged: read failed,
> > block=2295103, location=2294831
> > [ 1340.483385] UDF-fs: error (device sr0): __udf_read_inode: (ino 2295103)
> > failed !bh
> >
> > some point around here I tried to eject
> >
> > [ 1350.533357] sr 8:0:0:0: [sr0] Unhandled sense code
> > [ 1350.533368] sr 8:0:0:0: [sr0]
> > [ 1350.533374] Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
> > [ 1350.533380] sr 8:0:0:0: [sr0]
> > [ 1350.533384] Sense Key : Hardware Error [current]
> > [ 1350.533390] Info fld=0x23053e
> > [ 1350.533395] sr 8:0:0:0: [sr0]
> > [ 1350.533400] Add. Sense: Mechanical positioning error
> > [ 1350.533406] sr 8:0:0:0: [sr0] CDB:
> > [ 1350.533409] Read(10): 28 00 00 23 05 3e 00 00 01 00
> > [ 1350.533425] end_request: I/O error, dev sr0, sector 9180408
> > [ 1350.533488] UDF-fs: error (device sr0): udf_read_tagged: read failed,
> > block=2295102, location=2294830
> > [ 1350.533501] UDF-fs: error (device sr0): __udf_read_inode: (ino 2295102)
> > failed !bh
> > [ 1360.581244] sr 8:0:0:0: [sr0] Unhandled sense code
> > [ 1360.581255] sr 8:0:0:0: [sr0]
> > [ 1360.581260] Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
> > [ 1360.581266] sr 8:0:0:0: [sr0]
> > [ 1360.581270] Sense Key : Hardware Error [current]
> > [ 1360.581277] Info fld=0x23053d
> > [ 1360.581282] sr 8:0:0:0: [sr0]
> > [ 1360.581287] Add. Sense: Mechanical positioning error
> > [ 1360.581293] sr 8:0:0:0: [sr0] CDB:
> > [ 1360.581296] Read(10): 28 00 00 23 05 3d 00 00 01 00
> > [ 1360.581312] end_request: I/O error, dev sr0, sector 9180404
> > [ 1360.581365] UDF-fs: error (device sr0): udf_read_tagged: read failed,
> > block=2295101, location=2294829
> > [ 1360.581377] UDF-fs: error (device sr0): __udf_read_inode: (ino 2295101)
> > failed !bh
> > [ 1377.505817] sr 8:0:0:0: [sr0] Unhandled sense code
> > [ 1377.505828] sr 8:0:0:0: [sr0]
> > [ 1377.505834] Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
> > [ 1377.505840] sr 8:0:0:0: [sr0]
> > [ 1377.505844] Sense Key : Hardware Error [current]
> > [ 1377.505850] Info fld=0x23053c
> > [ 1377.505856] sr 8:0:0:0: [sr0]
> > [ 1377.505862] Add. Sense: Mechanical positioning error
> > [ 1377.505867] sr 8:0:0:0: [sr0] CDB:
> > [ 1377.505870] Read(10): 28 00 00 23 05 3c 00 00 01 00
> > [ 1377.505886] end_request: I/O error, dev sr0, sector 9180400
> > [ 1377.505953] UDF-fs: error (device sr0): udf_read_tagged: read failed,
> > block=2295100, location=2294828
> > [ 1377.505966] UDF-fs: error (device sr0): __udf_read_inode: (ino 2295100)
> > failed !bh
> >
> > finally it ejected
> >
> > [ 1384.719455] sr 8:0:0:0: [sr0] Device not ready
> > [ 1384.719467] sr 8:0:0:0: [sr0]
> > [ 1384.719473] Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
> > [ 1384.719479] sr 8:0:0:0: [sr0]
> > [ 1384.719482] Sense Key : Not Ready [current]
> > [ 1384.719490] sr 8:0:0:0: [sr0]
> > [ 1384.719496] Add. Sense: Medium not present
> > [ 1384.719501] sr 8:0:0:0: [sr0] CDB:
> > [ 1384.719506] Read(10): 28 00 00 00 00 28 00 00 01 00
> > [ 1384.719522] end_request: I/O error, dev sr0, sector 160
> > [ 1384.719572] UDF-fs: error (device sr0): udf_read_tagged: read failed,
> > block=40, location=40
> > [ 1384.719585] UDF-fs: error (device sr0): udf_process_sequence: Block 40 of
> > volume descriptor sequence is corrupted or we could not read it
> > [ 1384.719624] BUG: unable to handle kernel NULL pointer dereference at
> > 0000000000000054
> > [ 1384.719789] IP: [<ffffffffa06b80d1>] udf_sb_free_partitions+0x71/0x140
> > [udf]
> > [ 1384.719937] PGD 0
> > [ 1384.719982] Oops: 0000 [#1] SMP
> > [ 1384.720057] Modules linked in: nls_utf8 udf crc_itu_t tcp_lp be2iscsi
> > iscsi_boot_sysfs bnx2i cnic uio cxgb4i ip6t_REJECT cxgb4 cxgb3i
> > nf_conntrack_ipv6 cxgb3 bnep nf_defrag_ipv6 mdio libcxgbi nf_conntrack_ipv4
> > nf_defrag_ipv4 xt_state ib_iser nf_conntrack bluetooth rdma_cm ib_addr iw_cm
> > ib_cm ib_sa ib_mad rfkill ib_core iscsi_tcp libiscsi_tcp libiscsi
> > scsi_transport_iscsi it87 ip6table_filter ip6_tables hwmon_vid xfs libcrc32c
> > snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_intel snd_hda_codec
> > snd_hwdep snd_seq kvm snd_seq_device snd_pcm joydev snd_page_alloc snd_timer
> > sp5100_tco snd edac_core r8169 soundcore shpchp pcspkr i2c_piix4 k10temp mii
> > serio_raw edac_mce_amd microcode wmi nfsd auth_rpcgss nfs_acl lockd sunrpc
> > binfmt_misc uinput ata_generic pata_acpi dm_crypt pata_jmicron pata_atiixp
> > radeon i2c_algo_bit drm_kms_helper ttm drm i2c_core
> > [ 1384.721771] CPU 3
> > [ 1384.721818] Pid: 3684, comm: mount Not tainted 3.8.0-rc3 #107 Gigabyte
> > Technology Co., Ltd. GA-890GPA-UD3H/GA-890GPA-UD3H
> > [ 1384.722023] RIP: 0010:[<ffffffffa06b80d1>] [<ffffffffa06b80d1>]
> > udf_sb_free_partitions+0x71/0x140 [udf]
> > [ 1384.722210] RSP: 0018:ffff8801b7afbb38 EFLAGS: 00010246
> > [ 1384.722310] RAX: 0000000000000001 RBX: 0000000000000000 RCX:
> > 0000000000000056
> > [ 1384.722441] RDX: 00000000000000bc RSI: 0000000000000046 RDI:
> > ffff8801b096ec00
> > [ 1384.722572] RBP: ffff8801b7afbb58 R08: 000000000000000a R09:
> > 00000000000005a5
> > [ 1384.722704] R10: 0000000000000000 R11: 00000000000005a4 R12:
> > ffff8801b7afbcd4
> > [ 1384.722834] R13: 0000000000000000 R14: ffff880165d073c0 R15:
> > 0000000000000024
> > [ 1384.722967] FS: 00007f46f5224840(0000) GS:ffff88020fcc0000(0000)
> > knlGS:0000000000000000
> > [ 1384.723116] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
> > [ 1384.723223] CR2: 0000000000000054 CR3: 00000001a2ff0000 CR4:
> > 00000000000007e0
> > [ 1384.723354] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
> > 0000000000000000
> > [ 1384.723485] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
> > 0000000000000400
> > [ 1384.723617] Process mount (pid: 3684, threadinfo ffff8801b7afa000, task
> > ffff880166280000)
> > [ 1384.723765] Stack:
> > [ 1384.723805] ffff8801b096ec00 ffff8801b7afbcd4 ffff8801d1fabc98
> > 0000000000000010
> > [ 1384.723958] ffff8801b7afbbb8 ffffffffa06b96b5 ffff880165d07540
> > 0000000b00005395
> > [ 1384.724110] 00007ffffffff000 00028802036a8340 ffff8801b7afbc30
> > ffff880165d073c0
> > [ 1384.724260] Call Trace:
> > [ 1384.724319] [<ffffffffa06b96b5>] udf_check_anchor_block+0x125/0x130
> > [udf]
> > [ 1384.724455] [<ffffffffa06b9721>] udf_scan_anchors+0x61/0x1c0 [udf]
> > [ 1384.724578] [<ffffffff811ce79c>] ? ioctl_by_bdev+0x3c/0x50
> > [ 1384.724689] [<ffffffffa06b9a1e>] udf_load_vrs+0x19e/0x2e0 [udf]
> > [ 1384.724808] [<ffffffffa06b9d00>] udf_fill_super+0x1a0/0x610 [udf]
> > [ 1384.724936] [<ffffffff8119af55>] mount_bdev+0x1c5/0x210
> > [ 1384.725041] [<ffffffffa06b9b60>] ? udf_load_vrs+0x2e0/0x2e0 [udf]
> > [ 1384.725164] [<ffffffffa06b7075>] udf_mount+0x15/0x20 [udf]
> > [ 1384.725271] [<ffffffff8119bc43>] mount_fs+0x43/0x1b0
> > [ 1384.725371] [<ffffffff811b531f>] vfs_kern_mount+0x6f/0x100
> > [ 1384.725479] [<ffffffff811b7706>] do_mount+0x216/0xa70
> > [ 1384.725580] [<ffffffff81135764>] ? __get_free_pages+0x14/0x50
> > [ 1384.730093] [<ffffffff811b735a>] ? copy_mount_options+0x3a/0x180
> > [ 1384.734657] [<ffffffff811b7fee>] sys_mount+0x8e/0xe0
> > [ 1384.739261] [<ffffffff8164bf19>] system_call_fastpath+0x16/0x1b
> > [ 1384.743932] Code: 66 3d 11 25 0f 84 b8 00 00 00 41 0f b7 46 28 41 83 c5
> > 01 44 39 e8 0f 8e 89 00 00 00 49 63 dd b9 56 00 00 00 48 0f af d9 49 03 1e
> > <0f> b7 43 54 a8 02 74 b7 48 8b 3b e8 7f 9b af e0 0f b7 43 54 a8
> > [ 1384.754014] RIP [<ffffffffa06b80d1>] udf_sb_free_partitions+0x71/0x140
> > [udf]
> > [ 1384.758925] RSP <ffff8801b7afbb38>
> > [ 1384.763755] CR2: 0000000000000054
> > [ 1384.787502] ---[ end trace 95272ca777accb4e ]---
> >
> Hi James.
> There is missing exception handling in memory leak patch. (udf: Fix
> memory leak when mounting)
> So, Would you try to reproduce this problem with the below patch ?
>
> Thanks.
>
> ---------------------------------------------------------------------------
> Subject: [PATCH] UDF: Fix a null pointer dereference in udf_sb_free_partitions
>
> This patch fixes a regression caused by commit bff943af6fe
> "udf: Fix memory leak when mounting" due to which it was triggering
> a kernel null point dereference in case of mount failed OR when allocating
> memory to sbi->s_partmaps failed in function udf_sb_alloc_partition_maps.
>
> Reported-by: James Hogan <james@xxxxxxxxxxxxx>
> Signed-off-by: Namjae Jeon <namjae.jeon@xxxxxxxxxxx>
> Signed-off-by: Ashish Sangwan <a.sangwan@xxxxxxxxxxx>
Yeah, the patch makes sence. Thanks Namjae. I'll wait a while for James
to test it and then merge the patch.
Honza
> ---
> fs/udf/super.c | 3 ++-
> 1 files changed, 2 insertions(+), 1 deletions(-)
>
> diff --git a/fs/udf/super.c b/fs/udf/super.c
> index d44fb56..e9be396 100644
> --- a/fs/udf/super.c
> +++ b/fs/udf/super.c
> @@ -307,7 +307,8 @@ static void udf_sb_free_partitions(struct super_block *sb)
> {
> struct udf_sb_info *sbi = UDF_SB(sb);
> int i;
> -
> + if (sbi->s_partmaps == NULL)
> + return;
> for (i = 0; i < sbi->s_partitions; i++)
> udf_free_partition(&sbi->s_partmaps[i]);
> kfree(sbi->s_partmaps);
> --
> 1.7.0.4
--
Jan Kara <jack@xxxxxxx>
SUSE Labs, CR
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/