Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 593236 - kernel panic when the hardware sector size reported by drive is larger than page size
Summary: kernel panic when the hardware sector size reported by drive is larger than p...
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel
Version: 4.6
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Red Hat Kernel Manager
QA Contact: Red Hat Kernel QE team
Depends On:
TreeView+ depends on / blocked
Reported: 2010-05-18 09:29 UTC by Mark Wu
Modified: 2018-11-14 19:30 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2012-06-14 20:11:09 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Mark Wu 2010-05-18 09:29:30 UTC
Description of problem:
If a faulty hardware reports a bogus block size and it's passed to create_empty_buffers, it will cause kernel panic.

void create_empty_buffers(struct page *page,
			unsigned long blocksize, unsigned long b_state)
	struct buffer_head *bh, *head, *tail;

	head = create_buffers(page, blocksize, 1);
	bh = head;
	do {
		bh->b_state |= b_state;   ---> panic here
		tail = bh;
		bh = bh->b_this_page;
	} while (bh);
	tail->b_this_page = head;

because create_buffers will not do any initializing work when size is bigger than page size and return NULL.
create_buffers(struct page * page, unsigned long size, int retry)
	head = NULL;
	offset = PAGE_SIZE;
	while ((offset -= size) >= 0) {
	return head;

So I think we need add some checking code to avoid panic.

panic message:

Unable to handle kernel NULL pointer dereference at virtual address 00000000
 printing eip:
*pde = 2fea5001
Oops: 0002 [#1]
Modules linked in: nls_utf8 vfat fat nfs mptctl ipmi_devintf ipmi_si ipmi_msghandler nfsd exportfs lockd nfs_acl md5 ipv6 i2c_dev i2c_core sunrpc ip_nat_ftp iptable_nat ip_conntrack_ftp ipt_REJECT ipt_state ip_conntrack iptable_filter ip_tables ide_dump cciss_dump scsi_dump diskdump zlib_deflate usb_storage dm_mirror dm_mod button battery ac joydev ehci_hcd uhci_hcd hw_random e1000 bnx2 bonding(U) sg st ext3 jbd ata_piix libata cciss mptscsih qla2400(U) mptsas qla2300(U) mptspi mptscsi qla2xxx(U) qla2xxx_conf(U) mptbase sd_mod scsi_mod
CPU:    0
EIP:    0060:[<c015e04f>]    Not tainted VLI
EFLAGS: 00010287   (2.6.9-67.0.1.ELsmp) 
EIP is at create_empty_buffers+0x15/0x70
eax: 00000000   ebx: c1178ac0   ecx: 00000001   edx: 00000000
esi: 00000000   edi: 00000000   ebp: c1178ac0   esp: c5923d04
ds: 007b   es: 007b   ss: 0068
Process mount (pid: 14845, threadinfo=c5923000 task=f6dca1b0)
Stack: 0000000c f601f6e4 00000000 c015e90c 00000220 00000046 00000001 f601f6f0 
       00008000 f601f6e8 00000000 00000000 c01c302c 00000001 f601f634 c01620ea 
       00000000 f601f6e8 c1178ac0 f601f6e4 00000000 00000000 c0140922 c1178ac0 
Call Trace:
 [<c015e90c>] block_read_full_page+0x61/0x2af
 [<c01c302c>] radix_tree_node_alloc+0x10/0x49
 [<c01620ea>] blkdev_get_block+0x0/0x46
 [<c0140922>] add_to_page_cache+0x8e/0x95
 [<c01469b1>] read_pages+0x97/0xdd
 [<c01443bc>] buffered_rmqueue+0x17d/0x1a5
 [<c0144498>] __alloc_pages+0xb4/0x2a6
 [<c0146cd5>] do_page_cache_readahead+0x138/0x158
 [<c0146e5b>] page_cache_readahead+0x166/0x258
 [<c0140fb5>] do_generic_mapping_read+0x138/0x445
 [<c015dec5>] invalidate_bh_lru+0x26/0x36
 [<c014150c>] __generic_file_aio_read+0x181/0x1b2
 [<c01412c2>] file_read_actor+0x0/0xc9
 [<c014161c>] generic_file_read+0x98/0xaf
 [<c015b081>] __dentry_open+0xda/0x18f
 [<c015af45>] filp_open+0x51/0x65
 [<c012051d>] autoremove_wake_function+0x0/0x2d
 [<c0162246>] block_llseek+0x30/0xeb
 [<c0162216>] block_llseek+0x0/0xeb
 [<c015ba62>] vfs_read+0xb6/0xe2
 [<c015bc77>] sys_read+0x3c/0x62
 [<c02d8613>] syscall_call+0x7/0xb
Code: f0 e8 fd fe ff ff 89 44 24 04 8b 44 24 04 83 c4 0c 5b 5e 5f 5d c3 57 89 cf b9 01 00 00 00 56 53 89 c3 e8 d8 f7 ff ff 89 c6 89 c2 <09> 3a 89 d0 8b 52 04 85 d2 75 f5 89 70 04 8b 43 10 83 c0 4c e8 

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Actual results:

Expected results:

Additional info:

Note You need to log in before you can comment on or make changes to this bug.