From patchwork Thu Oct 22 08:48:02 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tsutomu Itoh X-Patchwork-Id: 7463111 Return-Path: X-Original-To: patchwork-linux-btrfs@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id A015CBEEA4 for ; Thu, 22 Oct 2015 08:48:57 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 6BFFB209A4 for ; Thu, 22 Oct 2015 08:48:56 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 2583D2076E for ; Thu, 22 Oct 2015 08:48:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932396AbbJVIsp (ORCPT ); Thu, 22 Oct 2015 04:48:45 -0400 Received: from mgwkm01.jp.fujitsu.com ([202.219.69.168]:23148 "EHLO mgwkm01.jp.fujitsu.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932251AbbJVIsm (ORCPT ); Thu, 22 Oct 2015 04:48:42 -0400 Received: from kw-mxauth.gw.nic.fujitsu.com (unknown [192.168.231.132]) by mgwkm01.jp.fujitsu.com with smtp id 1286_83ab_6988c4de_0bb1_4bca_9b93_a1d62058f027; Thu, 22 Oct 2015 17:48:40 +0900 Received: from m3050.s.css.fujitsu.com (msm.b.css.fujitsu.com [10.134.21.208]) by kw-mxauth.gw.nic.fujitsu.com (Postfix) with ESMTP id 8AE6BAC0354 for ; Thu, 22 Oct 2015 17:48:39 +0900 (JST) Received: from WIN-5MHF4RKU941.jp.fujitsu.com (unknown [10.124.102.163]) by m3050.s.css.fujitsu.com (Postfix) with SMTP id 69DE5180 for ; Thu, 22 Oct 2015 17:48:39 +0900 (JST) X-SecurityPolicyCheck: OK by SHieldMailChecker v2.3.2 X-SHieldMailCheckerPolicyVersion: FJ-ISEC-20150223 X-SHieldMailCheckerMailID: 859aaca5828d494198c1d3019d1a0f7e Message-Id: <201510220848.AA00001@WIN-5MHF4RKU941.jp.fujitsu.com> From: Tsutomu Itoh Date: Thu, 22 Oct 2015 17:48:02 +0900 To: linux-btrfs@vger.kernel.org Subject: [PATCH] Btrfs: change the initialization point of fs_root in open_ctree() MIME-Version: 1.0 X-Mailer: AL-Mail32 Version 1.13 X-TM-AS-MML: disable Sender: linux-btrfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-btrfs@vger.kernel.org X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Kernel panic occurred due to NULL pointer reference in can_overcommit(). Because btrfs_async_reclaim_metadata_space() passed NULL pointer to btrfs_calc_reclaim_metadata_size(). ============================================================ [ 3756.152833] BUG: unable to handle kernel NULL pointer dereference at 00000000000001f0 [ 3756.152882] IP: [] can_overcommit+0x21/0xf0 [btrfs] [ 3756.152936] PGD 0 [ 3756.152949] Oops: 0000 [#1] SMP [ 3756.152969] Modules linked in: ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 xt_conntrack ebtable_filter ebtable_broute bridge stp llc ebtable_nat ebtables ip6table_mangle ip6table_raw ip6table_security ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_filter ip6_tables iptable_mangle iptable_raw iptable_security iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack coretemp kvm_intel kvm crc32 _pclmul iTCO_wdt iTCO_vendor_support microcode ipmi_si lpc_ich mfd_core pcspkr acpi_power_meter ipmi_msghandler i2c_i801 i7core_edac shpchp edac_core nfsd acpi_cpufreq auth_rpcgss nfs_acl lockd grace sunrpc sch_fq_codel btrfs xor raid6_pq usb_storage mgag200 drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm igb ptp ata_generic pps_core pata_acpi crc32c_intel [ 3756.153397] dca megaraid_sas i2c_algo_bit ata_piix i2c_core [ 3756.153433] CPU: 3 PID: 3004 Comm: kworker/u25:4 Tainted: G I 4.3.0-rc6 #1 [ 3756.153469] Hardware name: FUJITSU-SV PRIMERGY RX300 S6 /D2619, BIOS 6.00 Rev. 1.09.2619.N1 12/13/2010 [ 3756.153537] Workqueue: events_unbound btrfs_async_reclaim_metadata_space [btrfs] [ 3756.153571] task: ffff88023581a400 ti: ffff880234648000 task.ti: ffff880234648000 [ 3756.153604] RIP: 0010:[] [] can_overcommit+0x21/0xf0 [btrfs] [ 3756.153655] RSP: 0018:ffff88023464bda8 EFLAGS: 00010282 [ 3756.153679] RAX: 0000000001000000 RBX: ffff880431f68c00 RCX: 0000000000000002 [ 3756.153711] RDX: 0000000000c00000 RSI: 0000000000000000 RDI: 0000000000000000 [ 3756.153742] RBP: ffff88023464bde0 R08: 0000000000000101 R09: 000000000000000c [ 3756.153773] R10: ffffffff81d10060 R11: ffffffff81d10050 R12: ffff880431f68c00 [ 3756.153804] R13: 0000000000000000 R14: ffff880035f67070 R15: 0000000000c00000 [ 3756.153836] FS: 0000000000000000(0000) GS:ffff880237cc0000(0000) knlGS:0000000000000000 [ 3756.153871] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 3756.153897] CR2: 00000000000001f0 CR3: 0000000001c08000 CR4: 00000000000006e0 [ 3756.153929] Stack: [ 3756.153940] ffff880200000000 ffff880237cd2940 ffff880431f68c00 0000000000000000 [ 3756.153979] 0000000000c00000 ffff880035f67070 0000000000000000 ffff88023464be20 [ 3756.154016] ffffffffa01e5404 ffff880431f68c80 ffff880234482240 ffff8802378a1800 [ 3756.154054] Call Trace: [ 3756.154081] [] btrfs_async_reclaim_metadata_space+0xb4/0x210 [btrfs] [ 3756.154119] [] process_one_work+0x19e/0x3d0 [ 3756.154146] [] worker_thread+0x4e/0x450 [ 3756.154174] [] ? __schedule+0x2b9/0x930 [ 3756.154199] [] ? process_one_work+0x3d0/0x3d0 [ 3756.154227] [] ? process_one_work+0x3d0/0x3d0 [ 3756.154255] [] kthread+0xc9/0xe0 [ 3756.154279] [] ? kthread_worker_fn+0x160/0x160 [ 3756.154307] [] ret_from_fork+0x3f/0x70 [ 3756.154333] [] ? kthread_worker_fn+0x160/0x160 [ 3756.154361] Code: a5 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 41 57 41 56 41 55 41 54 49 89 f4 53 31 f6 49 89 fd 49 89 d7 48 83 ec 10 <4c> 8b b7 f0 01 00 00 89 4d cc 49 3b 7e 30 40 0f 95 c6 48 8d 74 [ 3756.156802] RIP [] can_overcommit+0x21/0xf0 [btrfs] [ 3756.157995] RSP [ 3756.159162] CR2: 00000000000001f0 ============================================================ fs_info->fs_root is referred in btrfs_async_reclaim_metadata_space() when mount kicked kworker(btrfs_async_reclaim_metadata_space). But at this time, fs_info->fs_root had not been initialized yet, so NULL pointer passed to btrfs_calc_reclaim_metadata_size(). ============================================================ PID: 3045 TASK: ffff8800bb06b000 CPU: 2 COMMAND: "mount" [exception RIP: queued_spin_lock_slowpath+350] RIP: ffffffff810be2de RSP: ffff8800b9fdb738 RFLAGS: 00000202 RAX: 0000000000000101 RBX: ffff880431f68c00 RCX: 0000000000000001 RDX: 0000000000000101 RSI: 0000000000000001 RDI: ffff880431f68c00 RBP: ffff8800b9fdb738 R8: 0000000000000101 R9: 0000000000000000 R10: 0000000000004000 R11: 0000000000018e58 R12: 0000000000000001 R13: ffff8800b9fdb7c0 R14: ffff8800bb06b000 R15: 0000000000000001 CS: 0010 SS: 0018 #0 [ffff8800b9fdb740] _raw_spin_lock at ffffffff81694ff0 #1 [ffff8800b9fdb750] reserve_metadata_bytes at ffffffffa01e55cc [btrfs] #2 [ffff8800b9fdb800] btrfs_block_rsv_add at ffffffffa01e5a93 [btrfs] #3 [ffff8800b9fdb828] btrfs_truncate_inode_items at ffffffffa0202779 [btrfs] #4 [ffff8800b9fdb920] btrfs_evict_inode at ffffffffa02040ec [btrfs] #5 [ffff8800b9fdb990] evict at ffffffff811ed6ea #6 [ffff8800b9fdb9b8] iput at ffffffff811ed996 #7 [ffff8800b9fdb9e8] btrfs_orphan_cleanup at ffffffffa0204c57 [btrfs] #8 [ffff8800b9fdba60] btrfs_recover_relocation at ffffffffa0247a8e [btrfs] #9 [ffff8800b9fdbaf0] open_ctree at ffffffffa01f576b [btrfs] #10 [ffff8800b9fdbbc8] btrfs_mount at ffffffffa01cc6a9 [btrfs] #11 [ffff8800b9fdbc90] mount_fs at ffffffff811d7ab8 #12 [ffff8800b9fdbcd8] vfs_kern_mount at ffffffff811f1be7 #13 [ffff8800b9fdbd10] btrfs_mount at ffffffffa01cbf57 [btrfs] #14 [ffff8800b9fdbdd8] mount_fs at ffffffff811d7ab8 #15 [ffff8800b9fdbe20] vfs_kern_mount at ffffffff811f1be7 #16 [ffff8800b9fdbe58] do_mount at ffffffff811f3f8d #17 [ffff8800b9fdbf08] sys_mount at ffffffff811f4e1c #18 [ffff8800b9fdbf50] entry_SYSCALL_64_fastpath at ffffffff8169536e RIP: 00007f6250fc733a RSP: 00007ffdcd40ba88 RFLAGS: 00000246 RAX: ffffffffffffffda RBX: 00007f6251b2f42a RCX: 00007f6250fc733a RDX: 0000564b58511070 RSI: 0000564b5850e290 RDI: 0000564b5850e270 RBP: 0000564b5850e150 R8: 0000000000000000 R9: 0000000000000014 R10: 00000000c0ed0000 R11: 0000000000000246 R12: 00007f6251d3f1dc R13: 00007ffdcd40bd88 R14: 0000000000000000 R15: 00000000ffffffff ORIG_RAX: 00000000000000a5 CS: 0033 SS: 002b ============================================================ Therefore, the initialization point of fs_info->fs_root is changed before btrfs_recover_relocation(). Signed-off-by: Tsutomu Itoh --- fs/btrfs/disk-io.c | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c index 1e60d00..a1bfa27 100644 --- a/fs/btrfs/disk-io.c +++ b/fs/btrfs/disk-io.c @@ -3019,6 +3019,16 @@ retry_root_backup: if (ret) goto fail_qgroup; + location.objectid = BTRFS_FS_TREE_OBJECTID; + location.type = BTRFS_ROOT_ITEM_KEY; + location.offset = 0; + + fs_info->fs_root = btrfs_read_fs_root_no_name(fs_info, &location); + if (IS_ERR(fs_info->fs_root)) { + err = PTR_ERR(fs_info->fs_root); + goto fail_qgroup; + } + if (!(sb->s_flags & MS_RDONLY)) { ret = btrfs_cleanup_fs_roots(fs_info); if (ret) @@ -3033,20 +3043,9 @@ retry_root_backup: err = -EINVAL; goto fail_qgroup; } - } - - location.objectid = BTRFS_FS_TREE_OBJECTID; - location.type = BTRFS_ROOT_ITEM_KEY; - location.offset = 0; - - fs_info->fs_root = btrfs_read_fs_root_no_name(fs_info, &location); - if (IS_ERR(fs_info->fs_root)) { - err = PTR_ERR(fs_info->fs_root); - goto fail_qgroup; - } - - if (sb->s_flags & MS_RDONLY) + } else { return 0; + } down_read(&fs_info->cleanup_work_sem); if ((ret = btrfs_orphan_cleanup(fs_info->fs_root)) ||