Bug 3269 - [ANCK 4.19] erofs: mount时使用device, blob_dir_path选项,系统崩溃
Summary: [ANCK 4.19] erofs: mount时使用device, blob_dir_path选项,系统崩溃
Status: RESOLVED FIXED
Alias: None
Product: ANCK 4.19 Dev
Classification: ANCK
Component: fs (show other bugs) fs
Version: unspecified
Hardware: All Linux
: P3-Medium S3-normal
Target Milestone: ---
Assignee: Jingbo Xu
QA Contact: shuming
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-11-28 14:42 UTC by 苟浩
Modified: 2023-03-02 18:06 UTC (History)
4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description 苟浩 uniontech_group 2022-11-28 14:42:26 UTC 
必现。

复现步骤:
```sh
dd if=/dev/zero of=erofs-img bs=512 count=23000
mkdir srcdir
cp erofs-utils/autogen.sh erofs-utils/Makefile srcdir/
./erofs-utils/mkfs/mkfs.erofs erofs-img  srcdir/
mkdir mp
dd if=/dev/zero of=erofs-img2 bs=512 count=23000
sudo mount -t erofs -o loop,device=/home/gouhao/erofs-test/erofs-img2,blob_dir_path=/home/gouhao erofs-img mp
```

崩溃日志:
[  164.896614] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
[  164.896661] PGD 0 P4D 0 
[  164.896676] Oops: 0000 [#1] SMP PTI
[  164.896693] CPU: 2 PID: 4686 Comm: mount Kdump: loaded Not tainted 4.19.91 #1
[  164.896717] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
[  164.896760] RIP: 0010:erofs_read_metabuf+0x145/0x190 [erofs]
[  164.896781] Code: 5d 60 48 c1 f8 06 48 c1 e0 0c 48 03 05 c4 a7 b5 f3 48 89 45 58 5b 5d 41 5c 41 5d 41 5e 41 5f c3 49 8b 87 c8 00 00 00 4c 89 e6 <48> 8b 40 08 48 8b 78 30 8b 97 84 00 00 00 80 e2 7f e8 15 f4 bd f2
[  164.896855] RSP: 0018:ffffa8c54159fc28 EFLAGS: 00010246
[  164.896875] RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000001
[  164.896912] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffa8c54159fc68
[  164.896936] RBP: ffffa8c54159fc68 R08: 0000000000028530 R09: ffffffffb32c7f93
[  164.896959] R10: ffffa8c54159fd18 R11: 0000000000000000 R12: 0000000000000000
[  164.896983] R13: ffff9213a691dd80 R14: ffff9213a691dd80 R15: ffff9213a402e800
[  164.897007] FS:  00007ff1250d2c80(0000) GS:ffff9213b7a80000(0000) knlGS:0000000000000000
[  164.897033] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  164.897053] CR2: 0000000000000008 CR3: 00000002294be000 CR4: 00000000000006e0
[  164.897101] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  164.897127] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  164.897152] Call Trace:
[  164.897202]  erofs_read_superblock+0x57/0x2a0 [erofs]
[  164.897223]  ? erofs_fill_super+0x18b/0x280 [erofs]
[  164.897243]  erofs_fill_super+0x18b/0x280 [erofs]
[  164.897261]  ? erofs_remount+0x70/0x70 [erofs]
[  164.897281]  mount_nodev+0x48/0xa0
[  164.897307]  erofs_mount+0xbd/0x100 [erofs]
[  164.897328]  ? cpumask_next+0x17/0x20
[  164.897344]  ? mount_fs+0x35/0x160
[  164.897360]  mount_fs+0x35/0x160
[  164.897377]  vfs_kern_mount.part.9+0x54/0x110
[  164.897398]  do_mount+0x5af/0xc20
[  164.897414]  ? kmem_cache_alloc_trace+0x141/0x1a0
[  164.897433]  ksys_mount+0x80/0xd0
[  164.897449]  __x64_sys_mount+0x21/0x30
[  164.897466]  do_syscall_64+0x5b/0x1d0
[  164.897487]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  164.897512] RIP: 0033:0x7ff125289cba
[  164.897529] Code: 48 8b 0d d1 81 0b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 9e 81 0b 00 f7 d8 64 89 01 48
[  164.897585] RSP: 002b:00007ffee481ef88 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[  164.897615] RAX: ffffffffffffffda RBX: 000055bdd5780a50 RCX: 00007ff125289cba
[  164.897647] RDX: 000055bdd5780c80 RSI: 000055bdd5785b90 RDI: 000055bdd5787e20
[  164.897678] RBP: 0000000000000000 R08: 000055bdd5780cf0 R09: 000055bdd5780d40
[  164.897703] R10: 0000000000000000 R11: 0000000000000246 R12: 000055bdd5787e20
[  164.897726] R13: 000055bdd5780c80 R14: 0000000000000001 R15: 00007ff12542e224
[  164.898426] Modules linked in: erofs loop scsi_transport_iscsi psmouse joydev mousedev sg i2c_piix4 pcspkr sch_fq_codel ip_tables xfs libcrc32c sr_mod cdrom ata_generic pata_acpi bochs_drm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm serio_raw ata_piix libata i2c_core uhci_hcd floppy dm_mirror dm_region_hash dm_log dm_mod
[  164.900315] CR2: 0000000000000008
[  164.900917] ---[ end trace 5a19f0b9797afa12 ]---
[  164.901515] RIP: 0010:erofs_read_metabuf+0x145/0x190 [erofs]
[  164.902082] Code: 5d 60 48 c1 f8 06 48 c1 e0 0c 48 03 05 c4 a7 b5 f3 48 89 45 58 5b 5d 41 5c 41 5d 41 5e 41 5f c3 49 8b 87 c8 00 00 00 4c 89 e6 <48> 8b 40 08 48 8b 78 30 8b 97 84 00 00 00 80 e2 7f e8 15 f4 bd f2
[  164.903303] RSP: 0018:ffffa8c54159fc28 EFLAGS: 00010246
[  164.903880] RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000001
[  164.904453] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffa8c54159fc68
[  164.905077] RBP: ffffa8c54159fc68 R08: 0000000000028530 R09: ffffffffb32c7f93
[  164.905713] R10: ffffa8c54159fd18 R11: 0000000000000000 R12: 0000000000000000
[  164.906349] R13: ffff9213a691dd80 R14: ffff9213a691dd80 R15: ffff9213a402e800
[  164.906954] FS:  00007ff1250d2c80(0000) GS:ffff9213b7a80000(0000) knlGS:0000000000000000
[  164.907627] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  164.908259] CR2: 0000000000000008 CR3: 00000002294be000 CR4: 00000000000006e0
[  164.908953] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  164.909603] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  164.910229] Kernel panic - not syncing: Fatal exception
[  164.911856] Kernel Offset: 0x32000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
Comment 1 苟浩 uniontech_group 2022-11-28 15:20:29 UTC 
上面的日志是在release-4.19上测的。

下面的日志是在devel-4.19上测的:
[  325.311712] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
[  325.311752] PGD 0 P4D 0
[  325.311767] Oops: 0000 [#1] SMP PTI
[  325.311781] CPU: 1 PID: 1671 Comm: mount Kdump: loaded Tainted: G            E     4.19.91-anolis-dev #1
[  325.311810] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
[  325.311852] RIP: 0010:strlen+0x0/0x20
[  325.311868] Code: 48 89 fa 74 09 48 83 c2 01 80 3a 00 75 f7 48 83 c6 01 0f b6 4e ff 48 83 c2 01 84 c9 88 4a ff 75 ed f3 c3 0f 1f 80 00 00 00 00 <80> 3f 00 48 89 f8 74 10 48 83 c7 01 80 3f 00 75 f7 48 29 c7 48 89
[  325.311920] RSP: 0018:ffffa73d41a67cf0 EFLAGS: 00010286
[  325.311940] RAX: ffff91e672d7f130 RBX: ffff91e672d7f130 RCX: 0000000000000000
[  325.311968] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[  325.311990] RBP: 0000000000000000 R08: ffff91e677a67060 R09: ffff91e677403b00
[  325.312012] R10: ffffe29488cb5fc0 R11: 0000000000000000 R12: ffff91e672c35800
[  325.312045] R13: 0000000000000001 R14: ffff91e6767d40a8 R15: 0000000000000000
[  325.312068] FS:  00007fbc7a31cc80(0000) GS:ffff91e677a40000(0000) knlGS:0000000000000000
[  325.312093] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  325.312113] CR2: 0000000000000000 CR3: 000000023504c000 CR4: 00000000000006e0
[  325.312137] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  325.312160] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  325.312181] Call Trace:
[  325.312210]  erofs_fscache_register_cookie+0x43/0x160 [erofs]
[  325.312237]  erofs_fill_super+0x271/0x330 [erofs]
[  325.312256]  ? erofs_remount+0x90/0x90 [erofs]
[  325.312275]  mount_nodev+0x48/0xa0
[  325.312299]  erofs_mount+0xbd/0x100 [erofs]
[  325.312320]  ? cpumask_next+0x17/0x20
[  325.312336]  ? mount_fs+0x35/0x160
[  325.312349]  mount_fs+0x35/0x160
[  325.312364]  vfs_kern_mount.part.9+0x54/0x110
[  325.312381]  do_mount+0x55b/0x9f0
[  325.312396]  ksys_mount+0x80/0xd0 
[  325.312409]  __x64_sys_mount+0x21/0x30 
[  325.312426]  do_syscall_64+0x5b/0x1d0
[  325.312443]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  325.312462] RIP: 0033:0x7fbc7a4d3cba
[  325.312476] Code: 48 8b 0d d1 81 0b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 9e 81 0b 00 f7 d8 64 89 01 48
[  325.312529] RSP: 002b:00007ffe4ab76a08 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[  325.312558] RAX: ffffffffffffffda RBX: 000055a499a65a50 RCX: 00007fbc7a4d3cba
[  325.312581] RDX: 000055a499a65c80 RSI: 000055a499a6ab90 RDI: 000055a499a6ce20
[  325.312604] RBP: 0000000000000000 R08: 000055a499a65cf0 R09: 000055a499a65d40
[  325.312626] R10: 0000000000000000 R11: 0000000000000246 R12: 000055a499a6ce20
[  325.313266] R13: 000055a499a65c80 R14: 0000000000000001 R15: 00007fbc7a678224
[  325.313894] Modules linked in: erofs(E) fscache(E) loop(E) scsi_transport_iscsi(E) joydev(E) psmouse(E) sg(E) mousedev(E) pcspkr(E) i2c_piix4(E) sch_fq_codel(E) ip_tables(E) xfs(E) libcrc32c(E) sr_mod(E) cdrom(E) ata_generic(E) pata_acpi(E) bochs_drm(E) drm_kms_helper(E) syscopyarea(E) sysfillrect(E) sysimgblt(E) fb_sys_fops(E) ttm(E) drm(E) ata_piix(E) i2c_core(E) serio_raw(E) uhci_hcd(E) libata(E) floppy(E) dm_mirror(E) dm_region_hash(E) dm_log(E) dm_mod(E)
[  325.316421] CR2: 0000000000000000
[  325.317107] ---[ end trace 7c827cc95c53a70d ]---
[  325.317792] RIP: 0010:strlen+0x0/0x20
[  325.318434] Code: 48 89 fa 74 09 48 83 c2 01 80 3a 00 75 f7 48 83 c6 01 0f b6 4e ff 48 83 c2 01 84 c9 88 4a ff 75 ed f3 c3 0f 1f 80 00 00 00 00 <80> 3f 00 48 89 f8 74 10 48 83 c7 01 80 3f 00 75 f7 48 29 c7 48 89
[  325.319748] RSP: 0018:ffffa73d41a67cf0 EFLAGS: 00010286
[  325.320420] RAX: ffff91e672d7f130 RBX: ffff91e672d7f130 RCX: 0000000000000000
[  325.321092] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[  325.321692] RBP: 0000000000000000 R08: ffff91e677a67060 R09: ffff91e677403b00
[  325.322333] R10: ffffe29488cb5fc0 R11: 0000000000000000 R12: ffff91e672c35800
[  325.322903] R13: 0000000000000001 R14: ffff91e6767d40a8 R15: 0000000000000000
[  325.323513] FS:  00007fbc7a31cc80(0000) GS:ffff91e677a40000(0000) knlGS:0000000000000000
[  325.324166] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  325.324743] CR2: 0000000000000000 CR3: 000000023504c000 CR4: 00000000000006e0
[  325.325330] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  325.325906] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  325.326478] Kernel panic - not syncing: Fatal exception
[  325.328078] Kernel Offset: 0x35000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
Comment 2 gaoxiang alibaba_cloud_group 2022-11-28 15:31:15 UTC 
device和blob_dir_path不能一起用,应该做个保护就可以
Comment 3 gaoxiang alibaba_cloud_group 2022-11-28 15:38:08 UTC 
对了,弱弱问一下背景,另外目前erofs在贵司有除了 container os 外的其他目标场景么,如果有的话我们看看能不能也支持一下
Comment 4 苟浩 uniontech_group 2022-11-28 15:40:55 UTC 
(In reply to gaoxiang from comment #3)
> 对了,弱弱问一下背景,另外目前erofs在贵司有除了 container os 外的其他目标场景么,如果有的话我们看看能不能也支持一下

目前没有,我是在测试这个特性的时候发现的。
Comment 5 苟浩 uniontech_group 2022-11-29 11:36:12 UTC 
还有2个小问题,给blob_dir_path,bootstrap_path传错误的参数,也会崩:
```sh
sudo mount -t erofs -o loop,blob_dir_path=/home erofs-img mp
sudo mount -t erofs -o loop,bootstrap_path=/home erofs-img mp
```
Comment 6 Jingbo Xu alibaba_cloud_group 2022-11-29 11:46:49 UTC 
(In reply to 苟浩 from comment #5)
> 还有2个小问题,给blob_dir_path,bootstrap_path传错误的参数,也会崩:
> ```sh
> sudo mount -t erofs -o loop,blob_dir_path=/home erofs-img mp
> sudo mount -t erofs -o loop,bootstrap_path=/home erofs-img mp
> ```

感谢 report,等下我会排查和修复这些问题。
Comment 8 Jingbo Xu alibaba_cloud_group 2022-12-06 16:32:55 UTC 
merged https://gitee.com/anolis/cloud-kernel/pulls/967