fs changes in kernel 4.12 break mount of ntfs-3g, possible data corruption

Bug #1692143 reported by Nicholas Stommel on 2017-05-20
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Undecided
Unassigned

Bug Description

Mounting any ntfs partition or ntfs-formatted external drive in kernel 4.12 results in a critical kernel warning. Possible data corruption could happen, as the drive must be forcibly unmounted. The kernel warning appears in the syslog literally every single time, this is a very reproducible bug. The same warning/stack trace all pointing to the function super_setup_bdi_name in /linux/fs/super.c:1281 along with related calls to fuse functions appears in Ubuntu 16.04 LTS, Ubuntu 16.10. and Ubuntu 17.04. Here I will only include the information relevant to my installation of 16.04.2 LTS. This seems rather critical, as ntfs is one of the only suitable formats supported by (and shareable between) Windows and Linux, and I worry that possible data corruption could be happening.

[ 9.574893] ------------[ cut here ]------------
[ 9.574898] WARNING: CPU: 0 PID: 608 at /home/kernel/COD/linux/fs/super.c:1281 super_setup_bdi_name+0xcf/0xe0
[ 9.574899] Modules linked in: hp_wmi intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp arc4 kvm_intel kvm irqbypass crct10dif_pclmul snd_soc_rt298 crc32_pclmul ghash_clmulni_intel pcbc iwlmvm snd_hda_codec_hdmi mac80211 snd_hda_intel snd_hda_codec snd_soc_rt286 snd_hda_core snd_soc_ssm4567 aesni_intel snd_soc_rl6347a snd_hwdep iwlwifi aes_x86_64 crypto_simd snd_soc_core rtsx_pci_ms cfg80211 glue_helper memstick snd_compress elan_i2c snd_pcm_dmaengine ac97_bus cryptd intel_cstate intel_rapl_perf snd_pcm snd_seq_midi snd_seq_midi_event snd_rawmidi serio_raw snd_seq uvcvideo joydev videobuf2_vmalloc input_leds videobuf2_memops btusb hid_sensor_incl_3d videobuf2_v4l2 hid_sensor_rotation btrtl videobuf2_core btbcm btintel hid_sensor_gyro_3d hid_sensor_accel_3d videodev hid_sensor_magn_3d hid_sensor_trigger
[ 9.574937] bluetooth industrialio_triggered_buffer hid_sensor_iio_common hid_multitouch media lpc_ich ecdh_generic snd_seq_device snd_timer snd mei_me soundcore shpchp mei hp_accel lis3lv02d snd_soc_sst_acpi dw_dmac hp_wireless snd_soc_sst_match input_polldev 8250_dw spi_pxa2xx_platform dw_dmac_core i2c_designware_platform mac_hid i2c_designware_core intel_vbtn sparse_keymap acpi_als acpi_pad kfifo_buf industrialio parport_pc ppdev lp parport autofs4 hid_logitech_hidpp hid_sensor_custom hid_sensor_hub hid_logitech_dj usbhid i915 rtsx_pci_sdmmc i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ahci drm psmouse libahci rtsx_pci wmi video sdhci_acpi i2c_hid sdhci hid
[ 9.574972] CPU: 0 PID: 608 Comm: mount.ntfs-3g Not tainted 4.12.0-041200rc1-generic #201705131731
[ 9.574972] Hardware name: HP HP Spectre x360 Convertible /802D, BIOS F.45 04/21/2017
[ 9.574974] task: ffff9cef7d14c380 task.stack: ffffaff881488000
[ 9.574976] RIP: 0010:super_setup_bdi_name+0xcf/0xe0
[ 9.574977] RSP: 0018:ffffaff88148bc50 EFLAGS: 00010283
[ 9.574978] RAX: 0000000000000000 RBX: ffff9cef7b3d2400 RCX: 0000000000000002
[ 9.574979] RDX: 0000000000000001 RSI: 00000000fffffe01 RDI: ffffffffad7d81bb
[ 9.574980] RBP: ffffaff88148bcd0 R08: ffff9cef8233c6f8 R09: 0000000000000000
[ 9.574981] R10: fffff28cc8f45c00 R11: 0000000000000000 R12: ffff9cef7d277000
[ 9.574982] R13: ffffffffae2d914c R14: ffffaff88148bce0 R15: ffff9cef7b2c3200
[ 9.574983] FS: 00007f2025fa8700(0000) GS:ffff9cef8ec00000(0000) knlGS:0000000000000000
[ 9.574984] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 9.574985] CR2: 00005617f917e058 CR3: 000000024258e000 CR4: 00000000003406f0
[ 9.574986] Call Trace:
[ 9.574990] ? kmem_cache_alloc_trace+0x181/0x190
[ 9.574993] fuse_fill_super+0x3b3/0x6a0
[ 9.574995] ? vsnprintf+0x24b/0x4d0
[ 9.574997] ? snprintf+0x45/0x70
[ 9.574998] mount_bdev+0x178/0x1b0
[ 9.575000] ? mount_bdev+0x178/0x1b0
[ 9.575001] ? fuse_get_root_inode+0x70/0x70
[ 9.575003] fuse_mount_blk+0x15/0x20
[ 9.575005] mount_fs+0x38/0x140
[ 9.575008] vfs_kern_mount+0x67/0x110
[ 9.575009] do_mount+0x1e1/0xca0
[ 9.575011] ? __check_object_size+0xb3/0x190
[ 9.575013] ? _copy_from_user+0x21/0x70
[ 9.575015] ? kmem_cache_alloc_trace+0x142/0x190
[ 9.575016] SyS_mount+0x83/0xd0
[ 9.575019] entry_SYSCALL_64_fastpath+0x1e/0xa9
[ 9.575020] RIP: 0033:0x7f2025679faa
[ 9.575021] RSP: 002b:00007fffa89e0358 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 9.575023] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 00007f2025679faa
[ 9.575024] RDX: 00005633569a95a0 RSI: 00005633569a8430 RDI: 00005633569a8760
[ 9.575025] RBP: 00007fffa89df0f0 R08: 00005633569a8620 R09: 0000000000000028
[ 9.575026] R10: 000000000000000e R11: 0000000000000246 R12: 00005633569a8430
[ 9.575026] R13: 00005633560b287f R14: 00007fffa89df238 R15: 0000000000000001
[ 9.575028] Code: a0 65 48 33 0c 25 28 00 00 00 75 2a 48 83 c4 58 5b 41 5a 41 5c 41 5d 41 5e 5d c3 48 89 df 89 45 84 e8 f6 10 f9 ff 8b 45 84 eb d2 <0f> ff eb c6 b8 f4 ff ff ff eb c7 e8 01 d5 e3 ff 90 0f 1f 44 00
[ 9.575060] ---[ end trace 537ba067458cdec2 ]---

Nicholas Stommel (nstommel) wrote :
Nicholas Stommel (nstommel) wrote :
Nicholas Stommel (nstommel) wrote :
Nicholas Stommel (nstommel) wrote :

This change was made by a bot.

Changed in linux (Ubuntu):
status: New → Confirmed
Nicholas Stommel (nstommel) wrote :

Okay, so the warning is clearly being generated by the WARN_ON function in fs/super.c.
I realize I could disable the warning, but that sounds like a bad idea. One question though,
why would we be verifying if sb->s_bdi is equal to the address of some "struct backing_dev_info noop_backing_dev_info" from either the files /include/linux/backing-dev.h or /mm/backing-dev.c
(Found references to definition of this struct in these two file using the power of grep -rl)
in fs/super.c on line 1281, when we reassign it anyway to a local variable bdi right after? In other words, IS there something going wrong here, or is this warning insignificant and should be removed?

1281: WARN_ON(sb->s_bdi != &noop_backing_dev_info);
1282: sb->s_bdi = bdi;

Also see bug report I filed about this problem at https://bugzilla.kernel.org/show_bug.cgi?id=195809

Nicholas Stommel (nstommel) wrote :

Seems this was resolved in 4.12-rc2, mounting ntfs-3g volumes is fine, doesn't generate a kernel warning! It was fixed in fs/fuse/inode.c at https://github.com/torvalds/linux/commit/69c8ebf83213e6165b13d94ec599b861467ee2dc

with

diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
index 5a1b58f..65c8837 100644
--- a/fs/fuse/inode.c
+++ b/fs/fuse/inode.c
@@ -975,8 +975,15 @@ static int fuse_bdi_init(struct fuse_conn *fc, struct super_block *sb)
  int err;
  char *suffix = "";

- if (sb->s_bdev)
+ if (sb->s_bdev) {
   suffix = "-fuseblk";
+ /*
+ * sb->s_bdi points to blkdev's bdi however we want to redirect
+ * it to our private bdi...
+ */
+ bdi_put(sb->s_bdi);
+ sb->s_bdi = &noop_backing_dev_info;
+ }
  err = super_setup_bdi_name(sb, "%u:%u%s", MAJOR(fc->dev),
        MINOR(fc->dev), suffix);
  if (err)

no longer affects: fuse (Ubuntu)
no longer affects: ntfs-3g (Ubuntu)
Nicholas Stommel (nstommel) wrote :

This was fixed in 4.12-rc2!

Changed in linux (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.