[BUG] v5.13.8 kernel NULL pointer dereference on SD card removal

From: Krzysztof Hałasa
Date: Tue Aug 17 2021 - 07:15:56 EST

Next message: Lai Jiangshan: "[PATCH 0/6] workqueue: Make flush_workqueue() also watch flush_work()"
Previous message: Ahmad Fatoum: "Re: [PATCH] brcmfmac: pcie: fix oops on failure to resume and reprobe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Perhaps someone could use this. TIA.

Mounted an EXT4FS SD card (apparently). Removed the USB readed (with the
card) from the machine. Core i7 CPU, x86-64. Fedora normal kernel.

Now mounting:
usb 3-14: new high-speed USB device number 34 using xhci_hcd
usb 3-14: New USB device found, idVendor=05e3, idProduct=0738, bcdDevice= 0.01
usb 3-14: New USB device strings: Mfr=3, Product=4, SerialNumber=5
usb 3-14: Product: USB3 Reader
usb 3-14: Manufacturer: Genesys
usb-storage 3-14:1.0: USB Mass Storage device detected
scsi host8: usb-storage 3-14:1.0
scsi 8:0:0:0: Direct-Access Generic STORAGE DEVICE FT01 PQ: 0 ANSI: 6
scsi 8:0:0:1: Direct-Access Generic STORAGE DEVICE FT01 PQ: 0 ANSI: 6
sd 8:0:0:0: Attached scsi generic sg4 type 0
sd 8:0:0:1: Attached scsi generic sg5 type 0
sd 8:0:0:1: [sdf] 31116288 512-byte logical blocks: (15.9 GB/14.8 GiB)
sd 8:0:0:1: [sdf] Write Protect is off
sd 8:0:0:1: [sdf] Mode Sense: 21 00 00 00
sd 8:0:0:1: [sdf] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA
sd 8:0:0:0: [sde] Attached SCSI removable disk
sdf: sdf1 sdf2
sd 8:0:0:1: [sdf] Attached SCSI removable disk
EXT4-fs (sdf2): recovery complete
EXT4-fs (sdf2): mounted filesystem with ordered data mode. Opts: (null). Quota mode: none.

Then removing:
usb 3-14: USB disconnect, device number 34
blk_update_request: I/O error, dev sdf, sector 25832 op 0x1:(WRITE) flags 0x3000 phys_seg 1 prio class 0
Buffer I/O error on dev sdf2, logical block 157, lost async page write
blk_update_request: I/O error, dev sdf, sector 29368 op 0x1:(WRITE) flags 0x3000 phys_seg 1 prio class 0
Buffer I/O error on dev sdf2, logical block 599, lost async page write
blk_update_request: I/O error, dev sdf, sector 29752 op 0x1:(WRITE) flags 0x3000 phys_seg 3 prio class 0
Buffer I/O error on dev sdf2, logical block 647, lost async page write
Buffer I/O error on dev sdf2, logical block 648, lost async page write
Buffer I/O error on dev sdf2, logical block 649, lost async page write
JBD2: Error while async write back metadata bh 157.
Aborting journal on device sdf2-8.
blk_update_request: I/O error, dev sdf, sector 1597440 op 0x1:(WRITE) flags 0x800 phys_seg 1 prio class 0
Buffer I/O error on dev sdf2, logical block 196608, lost sync page write
JBD2: Error -5 detected when updating journal superblock for sdf2-8.
JBD2: Error while async write back metadata bh 599.
JBD2: Error while async write back metadata bh 647.
JBD2: Error while async write back metadata bh 648.
udisksd[7311]: Cleaning up mount point /run/media/* (device 8:82 no longer exists)
systemd[1]: run-media-*.mount: Deactivated successfully.
JBD2: Error while async write back metadata bh 649.

BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] SMP PTI
CPU: 2 PID: 279 Comm: kworker/2:1H Not tainted 5.13.8-200.fc34.x86_64 #1
Hardware name: ASUS All Series/Z87-PLUS, BIOS 2103 08/15/2014
Workqueue: kblockd blk_mq_run_work_fn
RIP: 0010:sbitmap_get+0x75/0x190
Code: 85 80 00 00 00 41 8b 57 08 85 d2 0f 84 b1 00 00 00 45 31 e4 48 63 cd 48 8d 1c 49 48 c1 e3 06 49 03 5f 10 4c 8d 6b 40 83 f0 01 <48> 8b 33 44 89 f2 4c 89 ef 0f b6 c8 e8 4a f7 ff ff 83 f8 ff 75 58
RSP: 0000:ffffac8ac0353d58 EFLAGS: 00010202
RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff955706c6a030
RBP: 0000000000000000 R08: 0000000000000001 R09: ffff9555809b8c6c
R10: 0000000000000008 R11: 0000000000000008 R12: 0000000000000000
R13: 0000000000000040 R14: 0000000000000000 R15: ffff955706c6a030
FS: 0000000000000000(0000) GS:ffff955c8fa80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000003b298a006 CR4: 00000000001706e0
Call Trace:
scsi_mq_get_budget+0x1a/0x110
__blk_mq_do_dispatch_sched+0x1b4/0x2d0
? __switch_to_xtra+0x111/0x500
__blk_mq_sched_dispatch_requests+0x129/0x180
blk_mq_sched_dispatch_requests+0x30/0x60
__blk_mq_run_hw_queue+0x2d/0x60
process_one_work+0x1ec/0x380
worker_thread+0x53/0x3e0
? process_one_work+0x380/0x380
kthread+0x127/0x150
? set_kthread_struct+0x40/0x40
ret_from_fork+0x22/0x30
Modules linked in: nls_utf8 isofs ib_core vfat fat uas usb_storage pl2303 cdc_acm tun intel_rapl_msr snd_hda_codec_hdmi snd_hda_codec_realtek i915 snd_hda_codec_generic ledtrig_audio intel_rapl_common snd_hda_intel i2c_algo_bit drm_kms_helper x86_pkg_temp_thermal snd_intel_dspcfg intel_powerclamp snd_intel_sdw_acpi snd_hda_codec coretemp snd_hda_core rapl ftdi_sio joydev intel_cstate snd_hwdep snd_seq mei_hdcp snd_seq_device intel_uncore snd_pcm mei_me snd_timer at24 snd soundcore cec i2c_i801 mei e1000e mxm_wmi wmi_bmof lpc_ich i2c_smbus drm fuse ip_tables raid1 crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel video wmi
CR2: 0000000000000000
---[ end trace 17813201f8776546 ]---
--
Krzysztof "Chris" Hałasa

Sieć Badawcza Łukasiewicz
Przemysłowy Instytut Automatyki i Pomiarów PIAP
Al. Jerozolimskie 202, 02-486 Warszawa

Next message: Lai Jiangshan: "[PATCH 0/6] workqueue: Make flush_workqueue() also watch flush_work()"
Previous message: Ahmad Fatoum: "Re: [PATCH] brcmfmac: pcie: fix oops on failure to resume and reprobe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]