NULL pointer dereference in blk_queue_flag_set

NULL pointer dereference in blk_queue_flag_set

[jkhsjdhjs]

[-- Attachment #1: Type: text/plain, Size: 811 bytes --]

Dear Song Liu,

my kernel (5.17-rc2) experiences a NULL pointer dereference when 
activating an LDM (Windows Logical Disk Manager) on Arch Linux using 
ldmtool [1]. I have attached the relevant excerpt of dmesg. This bug 
causes my LDM RAID to fail activating (see ldmtool-status.txt and 
lsblk.txt). Since this worked fine with 5.16 I bisected the kernel and 
found, that commit f51d46d0e7cb5b8494aa534d276a9d8915a2443d [2] 
introduced the issue.

I'm not sure what else to add, if there's more information I can 
provide, please tell me. Otherwise I'll happily assist in fixing this 
issue - if there's something I can do.

Best Regards,

Leon

[1] https://github.com/mdbooth/libldm
[2] 
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f51d46d0e7cb5b8494aa534d276a9d8915a2443d



[-- Attachment #2: ldmtool-status.txt --]
[-- Type: text/plain, Size: 599 bytes --]

$ systemctl status ldmtool.service
× ldmtool.service - Windows Dynamic Disk Mount
     Loaded: loaded (/usr/lib/systemd/system/ldmtool.service; enabled; vendor preset: disabled)
     Active: failed (Result: signal) since Tue 2022-02-01 17:48:17 CET; 42s ago
    Process: 484 ExecStart=/usr/bin/ldmtool create all (code=killed, signal=KILL)
   Main PID: 484 (code=killed, signal=KILL)
        CPU: 216ms

Feb 01 17:48:17 benziuminator systemd[1]: ldmtool.service: Main process exited, code=killed, status=9/KILL
Feb 01 17:48:17 benziuminator systemd[1]: ldmtool.service: Failed with result 'signal'.

[-- Attachment #3: dmesg_excerpt.log --]
[-- Type: text/x-log, Size: 5737 bytes --]

[   15.123761] device-mapper: raid: Loading target version 1.15.1
[   15.124185] device-mapper: raid: Ignoring chunk size parameter for RAID 1
[   15.124192] device-mapper: raid: Choosing default region size of 4MiB
[   15.129524] BUG: kernel NULL pointer dereference, address: 0000000000000060
[   15.129530] #PF: supervisor write access in kernel mode
[   15.129533] #PF: error_code(0x0002) - not-present page
[   15.129535] PGD 0 P4D 0 
[   15.129538] Oops: 0002 [#1] PREEMPT SMP NOPTI
[   15.129541] CPU: 5 PID: 494 Comm: ldmtool Not tainted 5.17.0-rc2-1-mainline #1 9fe89d43dfcb215d2731e6f8851740520778615e
[   15.129546] Hardware name: Gigabyte Technology Co., Ltd. X570 AORUS ELITE/X570 AORUS ELITE, BIOS F36e 10/14/2021
[   15.129549] RIP: 0010:blk_queue_flag_set+0x7/0x20
[   15.129555] Code: 00 00 00 0f 1f 44 00 00 48 8b 35 e4 e0 04 02 48 8d 57 28 bf 40 01 00 00 e9 16 c1 be ff 66 0f 1f 44 00 00 0f 1f 44 00 00 89 ff <f0> 48 0f ab 7e 60 31 f6 89 f7 c3 66 66 2e 0f 1f 84 00 00 00 00 00
[   15.129559] RSP: 0018:ffff966b81987a88 EFLAGS: 00010202
[   15.129562] RAX: ffff8b11c363a0d0 RBX: ffff8b11e294b070 RCX: 0000000000000000
[   15.129564] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000000001d
[   15.129566] RBP: ffff8b11e294b058 R08: 0000000000000000 R09: 0000000000000000
[   15.129568] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8b11e294b070
[   15.129570] R13: 0000000000000000 R14: ffff8b11e294b000 R15: 0000000000000001
[   15.129572] FS:  00007fa96e826780(0000) GS:ffff8b18deb40000(0000) knlGS:0000000000000000
[   15.129575] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   15.129577] CR2: 0000000000000060 CR3: 000000010b8ce000 CR4: 00000000003506e0
[   15.129580] Call Trace:
[   15.129582]  <TASK>
[   15.129584]  md_run+0x67c/0xc70 [md_mod 1e470c1b6bcf1114198109f42682f5a2740e9531]
[   15.129597]  raid_ctr+0x134a/0x28ea [dm_raid 6a645dd7519e72834bd7e98c23497eeade14cd63]
[   15.129604]  ? dm_split_args+0x63/0x150 [dm_mod 0d7b0bc3414340a79c4553bae5ca97294b78336e]
[   15.129615]  dm_table_add_target+0x188/0x380 [dm_mod 0d7b0bc3414340a79c4553bae5ca97294b78336e]
[   15.129625]  table_load+0x13b/0x370 [dm_mod 0d7b0bc3414340a79c4553bae5ca97294b78336e]
[   15.129635]  ? dev_suspend+0x2d0/0x2d0 [dm_mod 0d7b0bc3414340a79c4553bae5ca97294b78336e]
[   15.129644]  ctl_ioctl+0x1bd/0x460 [dm_mod 0d7b0bc3414340a79c4553bae5ca97294b78336e]
[   15.129655]  dm_ctl_ioctl+0xa/0x20 [dm_mod 0d7b0bc3414340a79c4553bae5ca97294b78336e]
[   15.129663]  __x64_sys_ioctl+0x8e/0xd0
[   15.129667]  do_syscall_64+0x5c/0x90
[   15.129672]  ? syscall_exit_to_user_mode+0x23/0x50
[   15.129675]  ? do_syscall_64+0x69/0x90
[   15.129677]  ? do_syscall_64+0x69/0x90
[   15.129679]  ? syscall_exit_to_user_mode+0x23/0x50
[   15.129682]  ? do_syscall_64+0x69/0x90
[   15.129684]  ? do_syscall_64+0x69/0x90
[   15.129686]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   15.129689] RIP: 0033:0x7fa96ecd559b
[   15.129692] Code: ff ff ff 85 c0 79 9b 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a5 a8 0c 00 f7 d8 64 89 01 48
[   15.129696] RSP: 002b:00007ffcaf85c258 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
[   15.129699] RAX: ffffffffffffffda RBX: 00007fa96f1b48f0 RCX: 00007fa96ecd559b
[   15.129701] RDX: 00007fa97017e610 RSI: 00000000c138fd09 RDI: 0000000000000003
[   15.129702] RBP: 00007fa96ebab583 R08: 00007fa97017c9e0 R09: 00007ffcaf85bf27
[   15.129704] R10: 0000000000000001 R11: 0000000000000206 R12: 00007fa97017e610
[   15.129706] R13: 00007fa97017e640 R14: 00007fa97017e6c0 R15: 00007fa97017e530
[   15.129709]  </TASK>
[   15.129710] Modules linked in: raid1 amd64_edac(-) fjes(-) pcc_cpufreq(-) dm_raid raid456 md_mod async_raid6_recov async_memcpy async_pq async_xor intel_rapl_msr async_tx xor raid6_pq intel_rapl_common libcrc32c edac_mce_amd amdgpu(+) snd_hda_codec_realtek wmi_bmof snd_hda_codec_generic kvm_amd gigabyte_wmi ledtrig_audio snd_hda_codec_hdmi snd_hda_intel kvm snd_intel_dspcfg snd_intel_sdw_acpi snd_usb_audio snd_hda_codec gpu_sched sp5100_tco snd_usbmidi_lib irqbypass drm_ttm_helper snd_hda_core rapl i2c_piix4 joydev mousedev ttm snd_hwdep snd_rawmidi snd_seq_device igb dca wmi pinctrl_amd mac_hid acpi_cpufreq nls_iso8859_1 vfat fat snd_aloop snd_pcm snd_timer snd soundcore videodev mc sg crypto_user fuse ip_tables x_tables ext4 crc32c_generic crc16 mbcache jbd2 dm_crypt cbc encrypted_keys trusted asn1_encoder tee tpm uas usb_storage usbhid dm_mod crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel crypto_simd cryptd ccp sr_mod rng_core cdrom xhci_pci
[   15.129750]  xhci_pci_renesas
[   15.129764] CR2: 0000000000000060
[   15.129766] ---[ end trace 0000000000000000 ]---
[   15.129767] RIP: 0010:blk_queue_flag_set+0x7/0x20
[   15.129770] Code: 00 00 00 0f 1f 44 00 00 48 8b 35 e4 e0 04 02 48 8d 57 28 bf 40 01 00 00 e9 16 c1 be ff 66 0f 1f 44 00 00 0f 1f 44 00 00 89 ff <f0> 48 0f ab 7e 60 31 f6 89 f7 c3 66 66 2e 0f 1f 84 00 00 00 00 00
[   15.129774] RSP: 0018:ffff966b81987a88 EFLAGS: 00010202
[   15.129776] RAX: ffff8b11c363a0d0 RBX: ffff8b11e294b070 RCX: 0000000000000000
[   15.129778] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000000001d
[   15.129780] RBP: ffff8b11e294b058 R08: 0000000000000000 R09: 0000000000000000
[   15.129782] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8b11e294b070
[   15.129784] R13: 0000000000000000 R14: ffff8b11e294b000 R15: 0000000000000001
[   15.129786] FS:  00007fa96e826780(0000) GS:ffff8b18deb40000(0000) knlGS:0000000000000000
[   15.129788] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   15.129790] CR2: 0000000000000060 CR3: 000000010b8ce000 CR4: 00000000003506e0

[-- Attachment #4: lsblk.txt --]
[-- Type: text/plain, Size: 1810 bytes --]

########################## NORMAL lsblk ##########################
NAME                                  MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
sdb                                     8:16   1   7,3T  0 disk  
├─sdb1                                  8:17   1     1M  0 part  
├─sdb2                                  8:18   1   127M  0 part  
├─sdb3                                  8:19   1   7,3T  0 part  
└─ldm_part_BENZIUMINATOR-Dg0_Disk2-01 254:5    0   7,3T  0 ldm   
  └─ldm_vol_BENZIUMINATOR-Dg0_Volume1 254:6    0   7,3T  0 ldm   
sdc                                     8:32   1   7,3T  0 disk  
├─sdc1                                  8:33   1   7,3T  0 part  
├─sdc2                                  8:34   1     1M  0 part  
├─sdc3                                  8:35   1   127M  0 part  
└─ldm_part_BENZIUMINATOR-Dg0_Disk1-01 254:4    0   7,3T  0 ldm   
  └─ldm_vol_BENZIUMINATOR-Dg0_Volume1 254:6    0   7,3T  0 ldm

############### lsblk with NULL pointer dereference ###############
NAME                                  MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
sdb                                     8:16   1   7,3T  0 disk  
├─sdb1                                  8:17   1     1M  0 part  
├─sdb2                                  8:18   1   127M  0 part  
├─sdb3                                  8:19   1   7,3T  0 part  
└─ldm_part_BENZIUMINATOR-Dg0_Disk2-01 254:5    0   7,3T  0 ldm   
sdc                                     8:32   1   7,3T  0 disk  
├─sdc1                                  8:33   1   7,3T  0 part  
├─sdc2                                  8:34   1     1M  0 part  
├─sdc3                                  8:35   1   127M  0 part  
└─ldm_part_BENZIUMINATOR-Dg0_Disk1-01 254:4    0   7,3T  0 ldm

Re: NULL pointer dereference in blk_queue_flag_set

[Song Liu]

Hi Leon,

On Tue, Feb 1, 2022 at 2:15 PM jkhsjdhjs <jkhsjdhjs@totally.rip> wrote:
>
> Dear Song Liu,
>
> my kernel (5.17-rc2) experiences a NULL pointer dereference when
> activating an LDM (Windows Logical Disk Manager) on Arch Linux using
> ldmtool [1]. I have attached the relevant excerpt of dmesg. This bug
> causes my LDM RAID to fail activating (see ldmtool-status.txt and
> lsblk.txt). Since this worked fine with 5.16 I bisected the kernel and
> found, that commit f51d46d0e7cb5b8494aa534d276a9d8915a2443d [2]
> introduced the issue.
>
> I'm not sure what else to add, if there's more information I can
> provide, please tell me. Otherwise I'll happily assist in fixing this
> issue - if there's something I can do.

Thanks for the report! And sorry for the bug.

For the next step, could you please test whether the following change
fixes the issue?

Best,
Song

diff --git i/drivers/md/md.c w/drivers/md/md.c
index 854cbf4234aa..18e987c644c6 100644
--- i/drivers/md/md.c
+++ w/drivers/md/md.c
@@ -5868,10 +5868,6 @@ int md_run(struct mddev *mddev)
                nowait = nowait && blk_queue_nowait(bdev_get_queue(rdev->bdev));
        }

-       /* Set the NOWAIT flags if all underlying devices support it */
-       if (nowait)
-               blk_queue_flag_set(QUEUE_FLAG_NOWAIT, mddev->queue);
-
        if (!bioset_initialized(&mddev->bio_set)) {
                err = bioset_init(&mddev->bio_set, BIO_POOL_SIZE, 0,
BIOSET_NEED_BVECS);
                if (err)
@@ -6009,6 +6005,10 @@ int md_run(struct mddev *mddev)
                else
                        blk_queue_flag_clear(QUEUE_FLAG_NONROT, mddev->queue);
                blk_queue_flag_set(QUEUE_FLAG_IO_STAT, mddev->queue);
+
+               /* Set the NOWAIT flags if all underlying devices support it */
+               if (nowait)
+                       blk_queue_flag_set(QUEUE_FLAG_NOWAIT, mddev->queue);
        }
        if (pers->sync_request) {
                if (mddev->kobj.sd &&

Re: NULL pointer dereference in blk_queue_flag_set

[jkhsjdhjs]

Hey Song,

thanks for the quick reply! I applied your patch on top of 5.17-rc2 and 
it fixes the issue:

[   15.394670] device-mapper: raid: Loading target version 1.15.1
[   15.395216] device-mapper: raid: Ignoring chunk size parameter for RAID 1
[   15.395224] device-mapper: raid: Choosing default region size of 4MiB
[   15.399865] md/raid1:mdX: active with 2 out of 2 mirrors

Best Regards,

Leon

On 02.02.22 07:57, Song Liu wrote:
> Hi Leon,
>
> On Tue, Feb 1, 2022 at 2:15 PM jkhsjdhjs <jkhsjdhjs@totally.rip> wrote:
>> Dear Song Liu,
>>
>> my kernel (5.17-rc2) experiences a NULL pointer dereference when
>> activating an LDM (Windows Logical Disk Manager) on Arch Linux using
>> ldmtool [1]. I have attached the relevant excerpt of dmesg. This bug
>> causes my LDM RAID to fail activating (see ldmtool-status.txt and
>> lsblk.txt). Since this worked fine with 5.16 I bisected the kernel and
>> found, that commit f51d46d0e7cb5b8494aa534d276a9d8915a2443d [2]
>> introduced the issue.
>>
>> I'm not sure what else to add, if there's more information I can
>> provide, please tell me. Otherwise I'll happily assist in fixing this
>> issue - if there's something I can do.
> Thanks for the report! And sorry for the bug.
>
> For the next step, could you please test whether the following change
> fixes the issue?
>
> Best,
> Song
>
> diff --git i/drivers/md/md.c w/drivers/md/md.c
> index 854cbf4234aa..18e987c644c6 100644
> --- i/drivers/md/md.c
> +++ w/drivers/md/md.c
> @@ -5868,10 +5868,6 @@ int md_run(struct mddev *mddev)
>                  nowait = nowait && blk_queue_nowait(bdev_get_queue(rdev->bdev));
>          }
>
> -       /* Set the NOWAIT flags if all underlying devices support it */
> -       if (nowait)
> -               blk_queue_flag_set(QUEUE_FLAG_NOWAIT, mddev->queue);
> -
>          if (!bioset_initialized(&mddev->bio_set)) {
>                  err = bioset_init(&mddev->bio_set, BIO_POOL_SIZE, 0,
> BIOSET_NEED_BVECS);
>                  if (err)
> @@ -6009,6 +6005,10 @@ int md_run(struct mddev *mddev)
>                  else
>                          blk_queue_flag_clear(QUEUE_FLAG_NONROT, mddev->queue);
>                  blk_queue_flag_set(QUEUE_FLAG_IO_STAT, mddev->queue);
> +
> +               /* Set the NOWAIT flags if all underlying devices support it */
> +               if (nowait)
> +                       blk_queue_flag_set(QUEUE_FLAG_NOWAIT, mddev->queue);
>          }
>          if (pers->sync_request) {
>                  if (mddev->kobj.sd &&

Re: NULL pointer dereference in blk_queue_flag_set

[Song Liu]

On Wed, Feb 2, 2022 at 4:50 AM jkhsjdhjs <jkhsjdhjs@totally.rip> wrote:
>
> Hey Song,
>
> thanks for the quick reply! I applied your patch on top of 5.17-rc2 and
> it fixes the issue:
>
> [   15.394670] device-mapper: raid: Loading target version 1.15.1
> [   15.395216] device-mapper: raid: Ignoring chunk size parameter for RAID 1
> [   15.395224] device-mapper: raid: Choosing default region size of 4MiB
> [   15.399865] md/raid1:mdX: active with 2 out of 2 mirrors
>

That's great. Thanks!

Would you like to attach Reported-by and Tested-by tag to the fix?

Song

Re: NULL pointer dereference in blk_queue_flag_set

[jkhsjdhjs]

Yes, I'd like that. Since I have never done that before I looked it up 
and it seems to me that you'll just add Reported-by and Tested-by to the 
commit message. In this case please use Reported-by: Leon Möller 
<jkhsjdhjs@totally.rip> and similar for the Tested-by line. Thanks!

Leon

On 02.02.22 17:57, Song Liu wrote:
> On Wed, Feb 2, 2022 at 4:50 AM jkhsjdhjs <jkhsjdhjs@totally.rip> wrote:
>> Hey Song,
>>
>> thanks for the quick reply! I applied your patch on top of 5.17-rc2 and
>> it fixes the issue:
>>
>> [   15.394670] device-mapper: raid: Loading target version 1.15.1
>> [   15.395216] device-mapper: raid: Ignoring chunk size parameter for RAID 1
>> [   15.395224] device-mapper: raid: Choosing default region size of 4MiB
>> [   15.399865] md/raid1:mdX: active with 2 out of 2 mirrors
>>
> That's great. Thanks!
>
> Would you like to attach Reported-by and Tested-by tag to the fix?
>
> Song

Re: NULL pointer dereference in blk_queue_flag_set

[Song Liu]

On Wed, Feb 2, 2022 at 9:55 AM jkhsjdhjs <jkhsjdhjs@totally.rip> wrote:
>
> Yes, I'd like that. Since I have never done that before I looked it up
> and it seems to me that you'll just add Reported-by and Tested-by to the
> commit message. In this case please use Reported-by: Leon Möller
> <jkhsjdhjs@totally.rip> and similar for the Tested-by line. Thanks!
>

Pushed the fix to md-fixes. Thanks again!

Song