Ubuntu
linux package

Kernel oops when mounting UDF volume

Bug #857170 reported by unsound
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Medium
Herton R. Krzesinski
Natty
Fix Released
Undecided
Herton R. Krzesinski
Oneiric
Fix Released
Medium
Herton R. Krzesinski

Bug Description

SRU Justification
=================

Impact

Regression after the update to 2.6.38.8, there is a possibility of crash
in block code after the change "block: don't block events on excl write
for non-optical devices", like the one reported in bug 857170

Fix

Fixed by upstream commit 4c49ff3fe128ca68dabd07537415c419ad7f82f9,
tested by the reporter in this bug.

Testcase

Report in this bug shows one way to reproduce the issue.

-------------------------------------------------------------------------

After installing kernel version 2.6.38-11-powerpc64-smp to my PowerMac G5 Quad I noticed that upon logging in with a CD inserted, the system would throw an error during login and while it doesn't seem like an actual panic, the system was unusable after this error.

I investigated some more and realized that it was upon attempting to mount the inserted CD (with UDF) that the error was thrown.

I can reproduce this error manually with the following recipe:
- Start the computer, boot Linux with kernel 2.6.38-11-powerpc64-smp.
- Skip graphical login and VT-switch to console one and log in.
- Attempt to mount /dev/hda (which the device assigned to the built-in DVD-RW) as UDF as in the following example:
---
$ sudo mount -t udf /dev/hda mountpoint
[ 84.594281] Unable to handle kernel paging request for data at address 0x00000320
[ 84.594303] Faulting instruction address: 0xc00000000025adbc
[ 84.594317] Oops: Kernel access of bad area, sig: 11 [#1]
[ 84.594329] SMP NR_CPUS=1024 NUMA PowerMac
[ 84.594347] last sysfs file: /sys/module/crc_itu_t/initstate
[ 84.594360] Modules linked in: udf sha256_generic aes_generic parport_pc ppdev lp parport dm_crypt binfmt_misc rfcomm sco bnep l2cap btusb bluetooth sil164 nouveau drm_kms_helper ttm drm snd_aoa_codec_onyx snd_aoa_fabric_layout snd_aoa arc4 b43 mac80211 cfg80211 snd_aoa_i2sbus snd_aoa_soundbus rtc_generic snd_powermac snd_pcm snd_page_alloc snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq snd_timer snd_seq_device snd soundcore raid10 raid456 async_pq async_xor xor async_raid6_recov raid6_pq async_memcpy async_tx raid1 raid0 multipath linear md_mod windfarm_cpufreq_clamp windfarm_max6690_sensor windfarm_lm75_sensor windfarm_smu_sensors windfarm_smu_controls windfarm_pm112 windfarm_pid windfarm_smu_sat windfarm_core dm_mirror dm_region_hash dm_log hid_apple sg usbhid ssb hid mmc_core firewire_ohci sd_mod tg3 crc_t10dif firewire_core uninorth_agp crc_itu_t
[ 84.594753] NIP: c00000000025adbc LR: c00000000025ada8 CTR: c00000000053d560
[ 84.594768] REGS: c0000001726675c0 TRAP: 0300 Not tainted (2.6.38-11-powerpc64-smp)
[ 84.594781] MSR: 9000000000009032 <EE,ME,IR,DR> CR: 24448442 XER: 20000000
[ 84.594819] DAR: 0000000000000320, DSISR: 40000000
[ 84.594830] TASK = c00000016b11d130[2137] 'mount' THREAD: c000000172664000 CPU: 1
[ 84.594847] GPR00: 0000000000000000 c000000172667840 c000000001160190 c0000000013f58c0
[ 84.594876] GPR04: c000000179306dd0 0000000000000000 c000000000195a08 a000000000000000
[ 84.594905] GPR08: c00000017bfd4c00 c0000000013f58c8 0000000000000000 5e86cff07c1b7400
[ 84.594934] GPR12: 0000000024444428 c00000000ff60280 0000000000000000 0000000010114ec8
[ 84.594964] GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[ 84.594993] GPR20: 00000000100231f8 0000000000000000 0000000000000000 c00000000118e580
[ 84.595022] GPR24: c000000179306da0 ffffffffffffffe2 0000000000000000 0000000000000083
[ 84.595051] GPR28: c000000179306d80 c000000179306d80 c0000000010ae9b8 c000000172667840
[ 84.595087] NIP [c00000000025adbc] .blkdev_get+0x16c/0x2c0
[ 84.595100] LR [c00000000025ada8] .blkdev_get+0x158/0x2c0
[ 84.595111] Call Trace:
[ 84.595119] [c000000172667840] [c00000000025ada8] .blkdev_get+0x158/0x2c0 (unreliable)
[ 84.595141] [c000000172667900] [c00000000025b0d4] .blkdev_get_by_path+0x54/0xd0
[ 84.595159] [c0000001726679a0] [c000000000210970] .mount_bdev+0x80/0x2b0
[ 84.595181] [c000000172667a80] [d000000001c62a2c] .udf_mount+0x4c/0x70 [udf]
[ 84.595197] [c000000172667b20] [c00000000020ffac] .vfs_kern_mount+0xcc/0x300
[ 84.595214] [c000000172667be0] [c0000000002102b4] .do_kern_mount+0x74/0x160
[ 84.595230] [c000000172667c90] [c00000000023ba70] .do_mount+0x250/0x2d0
[ 84.595248] [c000000172667d60] [c000000000278814] .compat_sys_mount+0x174/0x2c0
[ 84.595265] [c000000172667e30] [c0000000000085b0] syscall_exit+0x0/0x40
[ 84.595280] Instruction dump:
[ 84.595290] 6b5a0001 0b1a0000 3b400000 7fa3eb78 38800000 fb430051 4be7f99d 60000000
[ 84.595327] 880d01dc 2f800000 409e00f8 7c2004ac <80160320> 39200000 91370000 7809c7e3
[ 84.600364] ---[ end trace efdcc03d2a77700c ]---
---

I have verified that this problem does not occur with kernel version 2.6.38-10-powerpc64-smp. All packages are up-to-date as of 23 Sep 2011, 10.46 CET (UTC+2).

ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: linux-image-2.6.38-11-powerpc64-smp 2.6.38-11.50
ProcVersionSignature: Ubuntu 2.6.38-11.50-powerpc64-smp 2.6.38.8
Uname: Linux 2.6.38-11-powerpc64-smp ppc64
AcpiTables:

AlsaVersion: Advanced Linux Sound Architecture Driver Version 1.0.23.
AplayDevices:
 **** List of PLAYBACK Hardware Devices ****
 card 0: SoundByLayout [SoundByLayout], device 0: Master []
   Subdevices: 1/1
   Subdevice #0: subdevice #0
Architecture: powerpc
ArecordDevices:
 **** List of CAPTURE Hardware Devices ****
 card 0: SoundByLayout [SoundByLayout], device 0: Master []
   Subdevices: 1/1
   Subdevice #0: subdevice #0
AudioDevicesInUse:
 USER PID ACCESS COMMAND
 /dev/snd/controlC0: erik 6591 F.... pulseaudio
CRDA: Error: [Errno 2] Filen eller katalogen finns inte
Card0.Amixer.info:
 Card hw:0 'SoundByLayout'/'SoundByLayout'
   Mixer name : 'SoundByLayout'
   Components : ''
   Controls : 18
   Simple ctrls : 14
Date: Fri Sep 23 10:36:19 2011
EcryptfsInUse: Yes
HibernationDevice: RESUME=UUID=1d1304f9-b33f-44cc-b7d7-b3b6a80b9797
InstallationMedia: Ubuntu 10.04 LTS "Lucid Lynx" - Release powerpc (20100428)
PciMultimedia:

ProcEnviron:
 LANGUAGE=sv_SE:en
 PATH=(custom, user)
 LANG=sv_SE.utf8
 SHELL=/bin/bash
ProcKernelCmdLine: root=/dev/sda7 ro quiet splash
RelatedPackageVersions:
 linux-restricted-modules-2.6.38-11-powerpc64-smp N/A
 linux-backports-modules-2.6.38-11-powerpc64-smp N/A
 linux-firmware 1.52.4
SourcePackage: linux
UpgradeStatus: Upgraded to natty on 2011-05-10 (135 days ago)

See original description
Revision history for this message
unsound (unsound) wrote :
Brad Figg (brad-figg)
Changed in linux (Ubuntu):
status: New → Confirmed
Revision history for this message
Herton R. Krzesinski (herton) wrote :

I know nothing about powerpc ISA/arch, but it seems the crash point is NIP [c00000000025adbc] .blkdev_get+0x16c/0x2c0

Since there is no ddebs built for powerpc, I built myself using same natty toolchain, this is what gdb points at blkdev_get+0x16c:
(gdb) l *(blkdev_get+0x16c)
0xc00000000025adbc is in blkdev_get (/home/herton/ubuntu-natty/fs/block_dev.c:1270).
1265 * write holder makes the write_holder state stick until
1266 * all are released. This is good enough and tracking
1267 * individual writeable reference is too fragile given the
1268 * way @mode is used in blkdev_get/put().
1269 */
1270 if ((disk->flags & GENHD_FL_BLOCK_EVENTS_ON_EXCL_WRITE) &&
1271 !res && (mode & FMODE_WRITE) && !bdev->bd_write_holder) {
1272 bdev->bd_write_holder = true;
1273 disk_block_events(disk);
1274 }

Which means likely this bug will be fixed by cherry-picking commit 4c49ff3 upstream on natty.

I'll build a test kernel on Monday with the fix and ask you try it.

Changed in linux (Ubuntu):
assignee: nobody → Herton R. Krzesinski (herton)
status: Confirmed → In Progress
importance: Undecided → Medium
Revision history for this message
Herton R. Krzesinski (herton) wrote :

Built the kernel earlier. unsound, can you try the kernel from http://people.canonical.com/~herton/lp857170/ and see if the problem still happens, and report here the result?

Changed in linux (Ubuntu):
status: In Progress → Incomplete
Revision history for this message
unsound (unsound) wrote :

I can verify that I no longer have the kernel oops with your custom-built kernel... so the patch was effective!
Thanks a lot for looking into this.

Revision history for this message
Herton R. Krzesinski (herton) wrote :

unsound, thanks for the testing. I submitted the fix for inclusion in the natty kernel. Once an update is made, it'll be requested for you to do one more test with the update candidate, stay tuned.

Changed in linux (Ubuntu):
status: Incomplete → In Progress
description: updated
Tim Gardner (timg-tpi)
Changed in linux (Ubuntu Oneiric):
status: In Progress → Fix Released
Changed in linux (Ubuntu Natty):
status: New → Fix Committed
assignee: nobody → Herton R. Krzesinski (herton)
Herton R. Krzesinski (herton)
tags: added: regression-update
Revision history for this message
Herton R. Krzesinski (herton) wrote :

This bug is awaiting verification that the kernel for Natty in -proposed solves the problem (2.6.38-13.52). Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-natty' to 'verification-done-natty'.

If verification is not done by one week from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-natty
Revision history for this message
unsound (unsound) wrote :

I can verify that I cannot reproduce the problem in the version currently in 'proposed', 2.6.38-13.52.
So the bug appears to be fixed in this kernel version. Thanks.

Revision history for this message
Herton R. Krzesinski (herton) wrote :

Tagging as verification-done-natty given the feedback on comment #7

tags: added: verification-done-natty
removed: verification-needed-natty
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.38-13.52

---------------
linux (2.6.38-13.52) natty-proposed; urgency=low

  [Herton R. Krzesinski]

  * Release Tracking Bug
    - LP: #887379

  [ Konrad Rzeszutek Wilk ]

  * SAUCE: x86/paravirt: Partially revert "remove lazy mode in interrupts"
    - LP: #854050

  [ Ming Lei ]

  * SAUCE: [media] uvcvideo: Set alternate setting 0 on resume if the bus
    has been reset
    - LP: #816484

  [ Seth Forshee ]

  * SAUCE: acer-wmi: Add wireless quirk for Lenovo 3000 N200
    - LP: #857297

  [ Upstream Kernel Changes ]

  * Make TASKSTATS require root access, CVE-2011-2494
    - LP: #866021
    - CVE-2011-2494
  * proc: restrict access to /proc/PID/io, CVE-2011-2495
    - LP: #866025
    - CVE-2011-2495
  * proc: fix a race in do_io_accounting(), CVE-2011-2495
    - LP: #866025
    - CVE-2011-2495
  * staging: comedi: fix infoleak to userspace, CVE-2011-2909
    - LP: #869261
    - CVE-2011-2909
  * perf tools: do not look at ./config for configuration, CVE-2011-2905
    - LP: #869259
    - CVE-2011-2905
  * e1000e: workaround for packet drop on 82579 at 100Mbps
    - LP: #870127
  * eCryptfs: Remove unnecessary grow_file() function
    - LP: #745836
  * eCryptfs: Remove ECRYPTFS_NEW_FILE crypt stat flag
    - LP: #745836
  * block: blkdev_get() should access ->bd_disk only after success
    - LP: #857170
  * ipv6: restore correct ECN handling on TCP xmit
    - LP: #872179
  * nl80211: fix overflow in ssid_len - CVE-2011-2517
    - LP: #869245
    - CVE-2011-2517
  * ksm: fix NULL pointer dereference in scan_get_next_rmap_item() -
    CVE-2011-2183
    - LP: #869227
    - CVE-2011-2183
  * NLM: Don't hang forever on NLM unlock requests - CVE-2011-2491
    - LP: #869237
    - CVE-2011-2491
  * KVM: fix kvmclock regression due to missing clock update
    - LP: #795717
  * drm/i915: don't enable plane, pipe and PLL prematurely
    - LP: #812638
  * drm/i915: add pipe/plane enable/disable functions
    - LP: #812638
 -- Herton Ronaldo Krzesinski <email address hidden> Mon, 07 Nov 2011 22:11:51 -0200

Changed in linux (Ubuntu Natty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.