sendfile/splice-related kernel NULL pointer dereference in zpl_iter_read+0x150/0x1a0 #11375

softminus · 2020-12-19T02:18:36Z

System information

Type	Version/Name
Distribution Name	Arch linux
Distribution Version	rolling release
Linux Kernel	5.10.0-rc7
Architecture	x86_64
ZFS Version	2.0.0-rc1_289_g1c0bbd52c
SPL Version	2.0.0-rc1_289_g1c0bbd52c

Describe the problem you're observing

pip install --user --upgrade git+https://github.com/nmigen/nmigen.git reliably fails and causes this to show up in dmesg:

[  115.753277] BUG: kernel NULL pointer dereference, address: 0000000000000008
[  115.753279] #PF: supervisor read access in kernel mode
[  115.753280] #PF: error_code(0x0000) - not-present page
[  115.753280] PGD 0 P4D 0
[  115.753282] Oops: 0000 [#1] PREEMPT SMP NOPTI
[  115.753284] CPU: 0 PID: 5271 Comm: pip Tainted: P S         O      5.10.0-rc7-ZUN #8
[  115.753284] Hardware name: FUJITSU /D3641-S1, BIOS V5.0.0.13 R1.8.0 for D3641-S1x                     01/16/2020
[  115.753288] RIP: 0010:iov_iter_advance+0x1b1/0x380
[  115.753289] Code: 0c eb 30 83 ed 01 44 89 f0 4c 89 e7 21 e8 48 8d 14 80 49 8b 84 24 98 00 00 00 48 8d 34 d0 48 8b 46 10 48 c7 46 10 00 00 00 00 <48> 8b 40 08 e8 56 cd 7e 00 44 39 ed 75 cb 45 89 6c 24 50 e9 e6 fe
[  115.753290] RSP: 0018:ffffb33fa2ad7ca0 EFLAGS: 00010206
[  115.753291] RAX: 0000000000000000 RBX: ffffb33fa2ad7d60 RCX: fffff47a084a9b08
[  115.753291] RDX: 000000000000004b RSI: ffff9cf54475c658 RDI: ffff9cf4e2c4c6c0
[  115.753292] RBP: 00000000ffffffff R08: ffff9cf54475c400 R09: 000000000000000f
[  115.753293] R10: ffff9cf54475c400 R11: 00000000000003ea R12: ffff9cf4e2c4c6c0
[  115.753293] R13: 0000000000000011 R14: 000000000000000f R15: ffff9cf5a9513e00
[  115.753294] FS:  00007f0f87780740(0000) GS:ffff9cfc0da00000(0000) knlGS:0000000000000000
[  115.753295] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  115.753296] CR2: 0000000000000008 CR3: 00000001fcaae003 CR4: 00000000003706f0
[  115.753297] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  115.753297] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  115.753298] Call Trace:
[  115.753342]  zpl_iter_read+0x150/0x1a0 [zfs]
[  115.753346]  generic_file_splice_read+0x13d/0x1f0
[  115.753348]  ? alloc_pipe_info+0xd5/0x220
[  115.753349]  splice_direct_to_actor+0xd7/0x230
[  115.753350]  ? generic_file_splice_read+0x1f0/0x1f0
[  115.753352]  do_splice_direct+0x8b/0xd0
[  115.753354]  do_sendfile+0x165/0x4e0
[  115.753355]  __x64_sys_sendfile64+0x63/0xc0
[  115.753358]  do_syscall_64+0x33/0x40
[  115.753360]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  115.753361] RIP: 0033:0x7f0f879eda9e

Describe how to reproduce the problem

use above versions of linux and zfs, invoke that pip command (which i think invokes sendfile/splice), and it fails and dumps the messages below in the dmesg.

Include any warning/errors/backtraces from the system logs

[  115.753277] BUG: kernel NULL pointer dereference, address: 0000000000000008
[  115.753279] #PF: supervisor read access in kernel mode
[  115.753280] #PF: error_code(0x0000) - not-present page
[  115.753280] PGD 0 P4D 0
[  115.753282] Oops: 0000 [#1] PREEMPT SMP NOPTI
[  115.753284] CPU: 0 PID: 5271 Comm: pip Tainted: P S         O      5.10.0-rc7-ZUN #8
[  115.753284] Hardware name: FUJITSU /D3641-S1, BIOS V5.0.0.13 R1.8.0 for D3641-S1x                     01/16/2020
[  115.753288] RIP: 0010:iov_iter_advance+0x1b1/0x380
[  115.753289] Code: 0c eb 30 83 ed 01 44 89 f0 4c 89 e7 21 e8 48 8d 14 80 49 8b 84 24 98 00 00 00 48 8d 34 d0 48 8b 46 10 48 c7 46 10 00 00 00 00 <48> 8b 40 08 e8 56 cd 7e 00 44 39 ed 75 cb 45 89 6c 24 50 e9 e6 fe
[  115.753290] RSP: 0018:ffffb33fa2ad7ca0 EFLAGS: 00010206
[  115.753291] RAX: 0000000000000000 RBX: ffffb33fa2ad7d60 RCX: fffff47a084a9b08
[  115.753291] RDX: 000000000000004b RSI: ffff9cf54475c658 RDI: ffff9cf4e2c4c6c0
[  115.753292] RBP: 00000000ffffffff R08: ffff9cf54475c400 R09: 000000000000000f
[  115.753293] R10: ffff9cf54475c400 R11: 00000000000003ea R12: ffff9cf4e2c4c6c0
[  115.753293] R13: 0000000000000011 R14: 000000000000000f R15: ffff9cf5a9513e00
[  115.753294] FS:  00007f0f87780740(0000) GS:ffff9cfc0da00000(0000) knlGS:0000000000000000
[  115.753295] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  115.753296] CR2: 0000000000000008 CR3: 00000001fcaae003 CR4: 00000000003706f0
[  115.753297] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  115.753297] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  115.753298] Call Trace:
[  115.753342]  zpl_iter_read+0x150/0x1a0 [zfs]
[  115.753346]  generic_file_splice_read+0x13d/0x1f0
[  115.753348]  ? alloc_pipe_info+0xd5/0x220
[  115.753349]  splice_direct_to_actor+0xd7/0x230
[  115.753350]  ? generic_file_splice_read+0x1f0/0x1f0
[  115.753352]  do_splice_direct+0x8b/0xd0
[  115.753354]  do_sendfile+0x165/0x4e0
[  115.753355]  __x64_sys_sendfile64+0x63/0xc0
[  115.753358]  do_syscall_64+0x33/0x40
[  115.753360]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  115.753361] RIP: 0033:0x7f0f879eda9e
[  115.753362] Code: c3 0f 1f 00 4c 89 d2 4c 89 c6 e9 bd fd ff ff 0f 1f 44 00 00 31 c0 c3 0f 1f 44 00 00 f3 0f 1e fa 49 89 ca b8 28 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a2 c3 0c 00 f7 d8 64 89 01 48
[  115.753363] RSP: 002b:00007ffd2e92a358 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
[  115.753364] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f0f879eda9e
[  115.753365] RDX: 00007ffd2e92a360 RSI: 0000000000000003 RDI: 0000000000000004
[  115.753365] RBP: 00005559349220f8 R08: 0000000000000000 R09: 00007f0f8735b990
[  115.753366] R10: 0000000000800000 R11: 0000000000000246 R12: 0000000000000003
[  115.753367] R13: 00007ffd2e92a360 R14: 0000000000800000 R15: 0000555934181bb0
[  115.753368] Modules linked in: msr intel_rapl_msr snd_sof_pci intel_rapl_common snd_sof_intel_byt snd_sof_intel_ipc snd_sof_intel_hda_common snd_soc_hdac_hda snd_sof_xtensa_dsp snd_sof_intel_hda snd_sof snd_hda_codec_hdmi snd_hda_ext_core snd_soc_acpi_intel_match snd_soc_acpi snd_soc_core x86_pkg_temp_thermal snd_hda_codec_realtek intel_powerclamp coretemp snd_hda_codec_generic snd_compress kvm_intel ledtrig_audio ac97_bus snd_hda_intel snd_intel_dspcfg kvm snd_hda_codec irqbypass crct10dif_pclmul snd_hwdep crc32_pclmul crc32c_intel ghash_clmulni_intel snd_hda_core aesni_intel glue_helper snd_pcm crypto_simd nls_iso8859_1 cryptd iTCO_wdt iTCO_vendor_support nls_cp437 snd_timer snd rapl intel_cstate igb e1000e soundcore input_leds intel_uncore mousedev led_class i2c_i801 dca i2c_smbus intel_pch_thermal evdev ftsteutates drivetemp ip_tables x_tables hid_generic usbhid hid sd_mod zfs(PO) zunicode(PO) zzstd(O) zlua(O) zavl(PO) icp(PO) zcommon(PO) znvpair(PO) spl(O) xhci_pci xhci_hcd ahci
[  115.753401]  libahci i915 video intel_gtt i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops cec drm backlight agpgart vfat fat atkbd libps2 serio
[  115.753409] CR2: 0000000000000008
[  115.753410] ---[ end trace 770d0a60ef7f6fa0 ]---
[  115.866185] RIP: 0010:iov_iter_advance+0x1b1/0x380
[  115.866189] Code: 0c eb 30 83 ed 01 44 89 f0 4c 89 e7 21 e8 48 8d 14 80 49 8b 84 24 98 00 00 00 48 8d 34 d0 48 8b 46 10 48 c7 46 10 00 00 00 00 <48> 8b 40 08 e8 56 cd 7e 00 44 39 ed 75 cb 45 89 6c 24 50 e9 e6 fe
[  115.866190] RSP: 0018:ffffb33fa2ad7ca0 EFLAGS: 00010206
[  115.866192] RAX: 0000000000000000 RBX: ffffb33fa2ad7d60 RCX: fffff47a084a9b08
[  115.866193] RDX: 000000000000004b RSI: ffff9cf54475c658 RDI: ffff9cf4e2c4c6c0
[  115.866194] RBP: 00000000ffffffff R08: ffff9cf54475c400 R09: 000000000000000f
[  115.866195] R10: ffff9cf54475c400 R11: 00000000000003ea R12: ffff9cf4e2c4c6c0
[  115.866195] R13: 0000000000000011 R14: 000000000000000f R15: ffff9cf5a9513e00
[  115.866196] FS:  00007f0f87780740(0000) GS:ffff9cfc0da00000(0000) knlGS:0000000000000000
[  115.866197] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  115.866212] CR2: 0000000000000008 CR3: 00000001fcaae003 CR4: 00000000003706f0
[  115.866213] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  115.866213] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  122.769374] kauditd_printk_skb: 11 callbacks suppressed
[  122.769393] audit: type=1100 audit(1608343962.783:71): pid=5607 uid=1000 auid=1000 ses=1 msg='op=PAM:authentication grantors=? acct="thz" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=failed'
[  135.495075] BUG: kernel NULL pointer dereference, address: 0000000000000008
[  135.495078] #PF: supervisor read access in kernel mode
[  135.495079] #PF: error_code(0x0000) - not-present page
[  135.495080] PGD 0 P4D 0
[  135.495081] Oops: 0000 [#2] PREEMPT SMP NOPTI
[  135.495083] CPU: 15 PID: 5820 Comm: pip Tainted: P S    D    O      5.10.0-rc7-ZUN #8
[  135.495084] Hardware name: FUJITSU /D3641-S1, BIOS V5.0.0.13 R1.8.0 for D3641-S1x                     01/16/2020
[  135.495087] RIP: 0010:iov_iter_advance+0x1b1/0x380
[  135.495088] Code: 0c eb 30 83 ed 01 44 89 f0 4c 89 e7 21 e8 48 8d 14 80 49 8b 84 24 98 00 00 00 48 8d 34 d0 48 8b 46 10 48 c7 46 10 00 00 00 00 <48> 8b 40 08 e8 56 cd 7e 00 44 39 ed 75 cb 45 89 6c 24 50 e9 e6 fe
[  135.495089] RSP: 0018:ffffb33f8ae4fca0 EFLAGS: 00010206
[  135.495090] RAX: 0000000000000000 RBX: ffffb33f8ae4fd60 RCX: fffff47a064b7088
[  135.495090] RDX: 000000000000004b RSI: ffff9cf5c12aa658 RDI: ffff9cf581998240
[  135.495091] RBP: 00000000ffffffff R08: ffff9cf5c12aa400 R09: 000000000000000f
[  135.495092] R10: ffff9cf5c12aa400 R11: 00000000000003ea R12: ffff9cf581998240
[  135.495092] R13: 0000000000000011 R14: 000000000000000f R15: ffff9cf5ccc786c0
[  135.495093] FS:  00007fa16b453740(0000) GS:ffff9cfc0ddc0000(0000) knlGS:0000000000000000
[  135.495094] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  135.495095] CR2: 0000000000000008 CR3: 000000013a01a005 CR4: 00000000003706e0
[  135.495095] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  135.495096] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  135.495097] Call Trace:
[  135.495136]  zpl_iter_read+0x150/0x1a0 [zfs]
[  135.495139]  generic_file_splice_read+0x13d/0x1f0
[  135.495141]  ? alloc_pipe_info+0xd5/0x220
[  135.495143]  splice_direct_to_actor+0xd7/0x230
[  135.495143]  ? generic_file_splice_read+0x1f0/0x1f0
[  135.495145]  do_splice_direct+0x8b/0xd0
[  135.495146]  do_sendfile+0x165/0x4e0
[  135.495148]  __x64_sys_sendfile64+0x63/0xc0
[  135.495151]  do_syscall_64+0x33/0x40
[  135.495152]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  135.495154] RIP: 0033:0x7fa16b6c0a9e
[  135.495155] Code: c3 0f 1f 00 4c 89 d2 4c 89 c6 e9 bd fd ff ff 0f 1f 44 00 00 31 c0 c3 0f 1f 44 00 00 f3 0f 1e fa 49 89 ca b8 28 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a2 c3 0c 00 f7 d8 64 89 01 48
[  135.495155] RSP: 002b:00007ffc322ce048 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
[  135.495156] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fa16b6c0a9e
[  135.495157] RDX: 00007ffc322ce050 RSI: 0000000000000003 RDI: 0000000000000004
[  135.495158] RBP: 00005555e1cdf0f8 R08: 0000000000000000 R09: 00007fa16b02e990
[  135.495158] R10: 0000000000800000 R11: 0000000000000246 R12: 0000000000000003
[  135.495159] R13: 00007ffc322ce050 R14: 0000000000800000 R15: 00005555e153ebb0
[  135.495160] Modules linked in: msr intel_rapl_msr snd_sof_pci intel_rapl_common snd_sof_intel_byt snd_sof_intel_ipc snd_sof_intel_hda_common snd_soc_hdac_hda snd_sof_xtensa_dsp snd_sof_intel_hda snd_sof snd_hda_codec_hdmi snd_hda_ext_core snd_soc_acpi_intel_match snd_soc_acpi snd_soc_core x86_pkg_temp_thermal snd_hda_codec_realtek intel_powerclamp coretemp snd_hda_codec_generic snd_compress kvm_intel ledtrig_audio ac97_bus snd_hda_intel snd_intel_dspcfg kvm snd_hda_codec irqbypass crct10dif_pclmul snd_hwdep crc32_pclmul crc32c_intel ghash_clmulni_intel snd_hda_core aesni_intel glue_helper snd_pcm crypto_simd nls_iso8859_1 cryptd iTCO_wdt iTCO_vendor_support nls_cp437 snd_timer snd rapl intel_cstate igb e1000e soundcore input_leds intel_uncore mousedev led_class i2c_i801 dca i2c_smbus intel_pch_thermal evdev ftsteutates drivetemp ip_tables x_tables hid_generic usbhid hid sd_mod zfs(PO) zunicode(PO) zzstd(O) zlua(O) zavl(PO) icp(PO) zcommon(PO) znvpair(PO) spl(O) xhci_pci xhci_hcd ahci
[  135.495190]  libahci i915 video intel_gtt i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops cec drm backlight agpgart vfat fat atkbd libps2 serio
[  135.495198] CR2: 0000000000000008
[  135.495199] ---[ end trace 770d0a60ef7f6fa1 ]---
[  135.609489] RIP: 0010:iov_iter_advance+0x1b1/0x380
[  135.609490] Code: 0c eb 30 83 ed 01 44 89 f0 4c 89 e7 21 e8 48 8d 14 80 49 8b 84 24 98 00 00 00 48 8d 34 d0 48 8b 46 10 48 c7 46 10 00 00 00 00 <48> 8b 40 08 e8 56 cd 7e 00 44 39 ed 75 cb 45 89 6c 24 50 e9 e6 fe
[  135.609491] RSP: 0018:ffffb33fa2ad7ca0 EFLAGS: 00010206
[  135.609492] RAX: 0000000000000000 RBX: ffffb33fa2ad7d60 RCX: fffff47a084a9b08
[  135.609493] RDX: 000000000000004b RSI: ffff9cf54475c658 RDI: ffff9cf4e2c4c6c0
[  135.609493] RBP: 00000000ffffffff R08: ffff9cf54475c400 R09: 000000000000000f
[  135.609494] R10: ffff9cf54475c400 R11: 00000000000003ea R12: ffff9cf4e2c4c6c0
[  135.609495] R13: 0000000000000011 R14: 000000000000000f R15: ffff9cf5a9513e00
[  135.609496] FS:  00007fa16b453740(0000) GS:ffff9cfc0ddc0000(0000) knlGS:0000000000000000
[  135.609496] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  135.609497] CR2: 0000000000000008 CR3: 000000013a01a005 CR4: 00000000003706e0
[  135.609498] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  135.609498] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  137.881134] audit: type=1100 audit(1608343977.895:72): pid=5911 uid=1000 auid=1000 ses=1 msg='op=PAM:authentication grantors=? acct="thz" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=failed'
[  321.930866] BUG: kernel NULL pointer dereference, address: 0000000000000008
[  321.930869] #PF: supervisor read access in kernel mode
[  321.930870] #PF: error_code(0x0000) - not-present page
[  321.930870] PGD 0 P4D 0
[  321.930872] Oops: 0000 [#3] PREEMPT SMP NOPTI
[  321.930874] CPU: 12 PID: 7532 Comm: pip Tainted: P S    D    O      5.10.0-rc7-ZUN #8
[  321.930874] Hardware name: FUJITSU /D3641-S1, BIOS V5.0.0.13 R1.8.0 for D3641-S1x                     01/16/2020
[  321.930877] RIP: 0010:iov_iter_advance+0x1b1/0x380
[  321.930879] Code: 0c eb 30 83 ed 01 44 89 f0 4c 89 e7 21 e8 48 8d 14 80 49 8b 84 24 98 00 00 00 48 8d 34 d0 48 8b 46 10 48 c7 46 10 00 00 00 00 <48> 8b 40 08 e8 56 cd 7e 00 44 39 ed 75 cb 45 89 6c 24 50 e9 e6 fe
[  321.930879] RSP: 0018:ffffb33fabea3ca0 EFLAGS: 00010206
[  321.930880] RAX: 0000000000000000 RBX: ffffb33fabea3d60 RCX: fffff47a04511908
[  321.930881] RDX: 000000000000004b RSI: ffff9cf556506e58 RDI: ffff9cf543898a80
[  321.930882] RBP: 00000000ffffffff R08: ffff9cf556506c00 R09: 000000000000000f
[  321.930883] R10: ffff9cf556506c00 R11: 00000000000003ea R12: ffff9cf543898a80
[  321.930883] R13: 0000000000000011 R14: 000000000000000f R15: ffff9cf55311dec0
[  321.930884] FS:  00007f141e294740(0000) GS:ffff9cfc0dd00000(0000) knlGS:0000000000000000
[  321.930885] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  321.930885] CR2: 0000000000000008 CR3: 00000001570e2003 CR4: 00000000003706e0
[  321.930886] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  321.930887] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  321.930887] Call Trace:
[  321.930927]  zpl_iter_read+0x150/0x1a0 [zfs]
[  321.930931]  generic_file_splice_read+0x13d/0x1f0
[  321.930933]  ? alloc_pipe_info+0xd5/0x220
[  321.930934]  splice_direct_to_actor+0xd7/0x230
[  321.930935]  ? generic_file_splice_read+0x1f0/0x1f0
[  321.930936]  do_splice_direct+0x8b/0xd0
[  321.930938]  do_sendfile+0x165/0x4e0
[  321.930940]  __x64_sys_sendfile64+0x63/0xc0
[  321.930942]  do_syscall_64+0x33/0x40
[  321.930944]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  321.930946] RIP: 0033:0x7f141e501a9e
[  321.930947] Code: c3 0f 1f 00 4c 89 d2 4c 89 c6 e9 bd fd ff ff 0f 1f 44 00 00 31 c0 c3 0f 1f 44 00 00 f3 0f 1e fa 49 89 ca b8 28 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a2 c3 0c 00 f7 d8 64 89 01 48
[  321.930948] RSP: 002b:00007fff9bd34c88 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
[  321.930949] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f141e501a9e
[  321.930949] RDX: 00007fff9bd34c90 RSI: 0000000000000003 RDI: 0000000000000004
[  321.930950] RBP: 000055cede7bdf48 R08: 0000000000000000 R09: 00007f141de6f990
[  321.930951] R10: 0000000000800000 R11: 0000000000000246 R12: 0000000000000003
[  321.930951] R13: 00007fff9bd34c90 R14: 0000000000800000 R15: 000055cede019bb0
[  321.930953] Modules linked in: msr intel_rapl_msr snd_sof_pci intel_rapl_common snd_sof_intel_byt snd_sof_intel_ipc snd_sof_intel_hda_common snd_soc_hdac_hda snd_sof_xtensa_dsp snd_sof_intel_hda snd_sof snd_hda_codec_hdmi snd_hda_ext_core snd_soc_acpi_intel_match snd_soc_acpi snd_soc_core x86_pkg_temp_thermal snd_hda_codec_realtek intel_powerclamp coretemp snd_hda_codec_generic snd_compress kvm_intel ledtrig_audio ac97_bus snd_hda_intel snd_intel_dspcfg kvm snd_hda_codec irqbypass crct10dif_pclmul snd_hwdep crc32_pclmul crc32c_intel ghash_clmulni_intel snd_hda_core aesni_intel glue_helper snd_pcm crypto_simd nls_iso8859_1 cryptd iTCO_wdt iTCO_vendor_support nls_cp437 snd_timer snd rapl intel_cstate igb e1000e soundcore input_leds intel_uncore mousedev led_class i2c_i801 dca i2c_smbus intel_pch_thermal evdev ftsteutates drivetemp ip_tables x_tables hid_generic usbhid hid sd_mod zfs(PO) zunicode(PO) zzstd(O) zlua(O) zavl(PO) icp(PO) zcommon(PO) znvpair(PO) spl(O) xhci_pci xhci_hcd ahci
[  321.930983]  libahci i915 video intel_gtt i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops cec drm backlight agpgart vfat fat atkbd libps2 serio
[  321.930991] CR2: 0000000000000008
[  321.930992] ---[ end trace 770d0a60ef7f6fa2 ]---
[  322.047430] RIP: 0010:iov_iter_advance+0x1b1/0x380
[  322.047433] Code: 0c eb 30 83 ed 01 44 89 f0 4c 89 e7 21 e8 48 8d 14 80 49 8b 84 24 98 00 00 00 48 8d 34 d0 48 8b 46 10 48 c7 46 10 00 00 00 00 <48> 8b 40 08 e8 56 cd 7e 00 44 39 ed 75 cb 45 89 6c 24 50 e9 e6 fe
[  322.047434] RSP: 0018:ffffb33fa2ad7ca0 EFLAGS: 00010206
[  322.047435] RAX: 0000000000000000 RBX: ffffb33fa2ad7d60 RCX: fffff47a084a9b08
[  322.047436] RDX: 000000000000004b RSI: ffff9cf54475c658 RDI: ffff9cf4e2c4c6c0
[  322.047436] RBP: 00000000ffffffff R08: ffff9cf54475c400 R09: 000000000000000f
[  322.047437] R10: ffff9cf54475c400 R11: 00000000000003ea R12: ffff9cf4e2c4c6c0
[  322.047438] R13: 0000000000000011 R14: 000000000000000f R15: ffff9cf5a9513e00
[  322.047439] FS:  00007f141e294740(0000) GS:ffff9cfc0dd00000(0000) knlGS:0000000000000000
[  322.047439] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  322.047440] CR2: 0000000000000008 CR3: 00000001570e2003 CR4: 00000000003706e0
[  322.047441] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  322.047441] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

The text was updated successfully, but these errors were encountered:

softminus · 2020-12-19T02:22:27Z

Oh and if it is relevant, i have a single zpool consisting of a single mirror vdev, composed of one 1TB NVMe SSD and one 1TB SATA SSD.

behlendorf · 2020-12-19T04:39:19Z

Thanks for reporting this. I was able to reproduce the issue and will investigate.

There's no need to call iov_iter_advance() in zpl_iter_read(). This was preserved from the previous code where it wasn't needed but also didn't cause any problems. Now that the iter functions also handle pipes that's no longer the case. When fully reading a pipe buffer iov_iter_advance() may results in the pipe buf release function being called which will not be registered resulting in a NULL dereference. Signed-off-by: Brian Behlendorf <[email protected]> Closes #11375 Closes #11378

devsk · 2021-01-10T08:46:32Z

Did this make it into 2.0.1?

behlendorf · 2021-01-11T17:42:52Z

Yes. This fix was included in 2.0.1.

There's no need to call iov_iter_advance() in zpl_iter_read(). This was preserved from the previous code where it wasn't needed but also didn't cause any problems. Now that the iter functions also handle pipes that's no longer the case. When fully reading a pipe buffer iov_iter_advance() may results in the pipe buf release function being called which will not be registered resulting in a NULL dereference. Signed-off-by: Brian Behlendorf <[email protected]> Closes openzfs#11375 Closes openzfs#11378

softminus added Status: Triage Needed New issue which needs to be triaged Type: Defect Incorrect behavior (e.g. crash, hang) labels Dec 19, 2020

behlendorf removed the Status: Triage Needed New issue which needs to be triaged label Dec 19, 2020

behlendorf mentioned this issue Dec 19, 2020

Remove iov_iter_advance() from iter_read #11378

Merged

13 tasks

behlendorf closed this as completed in 9ac535e Dec 20, 2020

65a mentioned this issue Jan 30, 2023

Kernel NULL pointer dereference: RIP: 0010:zpl_iter_read+0x120/0x1a0 [zfs] #14431

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

sendfile/splice-related kernel NULL pointer dereference in zpl_iter_read+0x150/0x1a0 #11375

sendfile/splice-related kernel NULL pointer dereference in zpl_iter_read+0x150/0x1a0 #11375

softminus commented Dec 19, 2020

softminus commented Dec 19, 2020

behlendorf commented Dec 19, 2020

devsk commented Jan 10, 2021

behlendorf commented Jan 11, 2021

sendfile/splice-related kernel NULL pointer dereference in zpl_iter_read+0x150/0x1a0 #11375

sendfile/splice-related kernel NULL pointer dereference in zpl_iter_read+0x150/0x1a0 #11375

Comments

softminus commented Dec 19, 2020

System information

Describe the problem you're observing

Describe how to reproduce the problem

Include any warning/errors/backtraces from the system logs

softminus commented Dec 19, 2020

behlendorf commented Dec 19, 2020

devsk commented Jan 10, 2021

behlendorf commented Jan 11, 2021