aufs crash at au_set_fbstart in aufs3 (3.4 kernel).

Prasad Koya <prasad.koya@xxxxxxxxx> · Mon, 16 Jul 2018 14:29:14 -0700

Hi

Has anyone run into this crash with aufs 3? We hit this in production.

Thank you.

<1>[45257161.254682] BUG: unable to handle kernel NULL pointer
dereference at 0000000000000038
<1>[45257161.351193] IP: [<ffffffff8117a5dc>] au_do_open_nondir+0x3b/0xaf
<4>[45257161.425916] PGD 80ffb067 PUD 2d20b067 PMD 0
<4>[45257161.425923] Oops: 0002 [#1] PREEMPT SMP
<4>[45257161.425930] CPU 1
<4>[45257161.425932] Modules linked in: arptable_filter arp_tables
dummy ipt_ULOG nf_conntrack_ipv6 nf_defrag_ipv6 ip6t_REJECT
ip6table_mangle
nf_conntrack_ipv4 nf_defrag_ipv4 xt_LOG xt_limit xt_hl xt_state
ipt_REJECT xt_multiport xt_tcpudp iptable_mangle msr sch_prio
kbfd(O) 8021q garp stp llc tun nf_conntrack_tftp iptable_raw
iptable_filter ip_tables xt_NOTRACK nf_conntrack xt_mark ip6table_raw
ip6table_filter ip6_tables x_tables scd(O) amd64_edac_mod k10temp
hwmon microcode kvm_amd kvm
<4>[45257161.425985]
<4>[45257161.425990] Pid: 29253, comm: sandy2 Tainted: P           O
3.4.43.Ar-3379181.4167M #1
<4>[45257161.425996] RIP: 0010:[<ffffffff8117a5dc>]
[<ffffffff8117a5dc>] au_do_open_nondir+0x3b/0xaf
<4>[45257161.426004] RSP: 0018:ffff8800388b9c28  EFLAGS: 00210287
<4>[45257161.426007] RAX: 0000000000000000 RBX: ffff8800576263c0 RCX:
0000000000000001
<4>[45257161.426011] RDX: ffff8800576263c0 RSI: 0000000000000000 RDI:
ffff8800576263c0
<4>[45257161.426015] RBP: ffff8800388b9c48 R08: 0000000000000000 R09:
0000000000000000
<4>[45257161.426019] R10: ffff880104d1e500 R11: fefefefefefefeff R12:
0000000000000000
<4>[45257161.426022] R13: ffffffff8117a500 R14: ffff8800576263e8 R15:
0000000000080000
<4>[45257161.426027] FS:  0000000000000000(0000)
GS:ffff88013fb00000(0063) knlGS:00000000f73df8e0
<4>[45257161.426031] CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
<4>[45257161.426034] CR2: 0000000000000038 CR3: 000000003ee9c000 CR4:
00000000000007e0
<4>[45257161.426038] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
<4>[45257161.426041] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
0000000000000400
<4>[45257161.426046] Process sandy2 (pid: 29253, threadinfo
ffff8800388b8000, task ffff88003d9d5930)
<4>[45257161.426049] Stack:
<4>[45257161.426052]  ffff8800388b9c48 ffff8800576263c0
ffff880072891df8 ffffffff8117a5a1
<4>[45257161.426059]  ffff8800388b9c98 ffffffff811789cd
ffff8800388b9c78 ffffffff813eb090
<4>[45257161.426065]  ffff88013f180000 ffff88013f180000
ffff8800576263c0 ffff8800576263c0
<4>[45257161.426072] Call Trace:
<4>[45257161.426077] [<ffffffff8117a5a1>] ? au_do_open_nondir+0x0/0xaf
<4>[45257161.426081] [<ffffffff811789cd>] au_do_open+0x57/0xaa
<4>[45257161.426088] [<ffffffff813eb090>] ? sub_preempt_count+0x92/0xa5
<4>[45257161.426093] [<ffffffff81179c5b>] ? aufs_open_nondir+0x0/0x80
<4>[45257161.426097] [<ffffffff81179c8e>] aufs_open_nondir+0x33/0x80
<4>[45257161.426103] [<ffffffff810a7945>] __dentry_open+0x158/0x275
<4>[45257161.426107] [<ffffffff810a7b1f>] nameidata_to_filp+0x5b/0x62
<4>[45257161.426113] [<ffffffff810b5854>] do_last+0x539/0x642
<4>[45257161.426118] [<ffffffff810b5a28>] path_openat+0xcb/0x361
<4>[45257161.426123] [<ffffffff810b5dad>] do_filp_open+0x38/0x84
<4>[45257161.426129] [<ffffffff813eb090>] ? sub_preempt_count+0x92/0xa5
<4>[45257161.426134] [<ffffffff813e8310>] ? _raw_spin_unlock+0x13/0x2e
<4>[45257161.426139] [<ffffffff810bfb9c>] ? alloc_fd+0xfb/0x10d
<4>[45257161.426144] [<ffffffff810a75f0>] do_sys_open+0x116/0x1af
<4>[45257161.426150] [<ffffffff810e4320>] compat_sys_open+0x16/0x18
<4>[45257161.426155] [<ffffffff813ee28b>] cstar_dispatch+0x7/0x1e
<4>[45257161.426158] Code: ec 08 4c 8b 47 18 4d 3b 40 18 49 8b 40 30
74 07 49 83 78 10 00 74 29 48 85 c0 75 31 eb 22 48 8b 83 c0 00 00 00
44 89 e6 48 89 df
<44> 88 68 38 e8 b0 e1 ff ff 48 89 df e8 b7 df ff ff 31 c0 eb 05
<1>[45257161.426218] RIP  [<ffffffff8117a5dc>] au_do_open_nondir+0x3b/0xaf
<4>[45257161.501970]  RSP <ffff8800388b9c28>
<0>[45257161.501974] Kernel version: 3.4.43 #1 SMP PREEMPT Fri Jul 22
13:33:33 PDT 2016
<4>[45257161.608848] CR2: 0000000000000038

<4>[45257161.425996] RIP: 0010:[<ffffffff8117a5dc>]
[<ffffffff8117a5dc>] au_do_open_nondir+0x3b/0xaf

 28 int au_do_open_nondir(struct file *file, int flags)
 29 {
 30         int err;
 31         aufs_bindex_t bindex;
 32         struct file *h_file;
 33         struct dentry *dentry;
 34         struct au_finfo *finfo;
 35
 36         FiMustWriteLock(file);
 37
 38         dentry = file->f_dentry;
 39         err = au_d_alive(dentry);
 40         if (unlikely(err))
 41                 goto out;
 42
 43         finfo = au_fi(file);
 44         memset(&finfo->fi_htop, 0, sizeof(finfo->fi_htop));
 45         atomic_set(&finfo->fi_mmapped, 0);
 46         bindex = au_dbstart(dentry);
 47         h_file = au_h_open(dentry, bindex, flags, file);
 48         if (IS_ERR(h_file))
 49                 err = PTR_ERR(h_file);
 50         else {
 51                 au_set_fbstart(file, bindex);       <========
crash in this macro
 52                 au_set_h_fptr(file, bindex, h_file);
 53                 au_update_figen(file);
 54                 /* todo: necessary? */
 55                 /* file->f_ra = h_file->f_ra; */
 56         }

185 static inline void au_set_fbstart(struct file *file, aufs_bindex_t
bindex)
186 {
187         FiMustWriteLock(file);
188         au_fi(file)->fi_btop = bindex;
189 }
190

145 static inline struct au_finfo *au_fi(struct file *file)
146 {
147         return file->private_data;
148 }

        struct inode *inode = d->d_inode;
        err = 0;
        if (unlikely(d_unhashed(d) || !inode || !inode->i_nlink))
ffffffff8117a5c1:       49 83 78 10 00          cmpq   $0x0,0x10(%r8)
ffffffff8117a5c6:       74 29                   je
ffffffff8117a5f1 <au_do_open_nondir+0x50>
        err = 0;
        if (!IS_ROOT(d))
                err = au_d_hashed_positive(d);
        else {
                inode = d->d_inode;
                if (unlikely(d_unlinked(d) || !inode ||
!inode->i_nlink))
ffffffff8117a5c8:       48 85 c0                test   %rax,%rax
ffffffff8117a5cb:       75 31                   jne
ffffffff8117a5fe <au_do_open_nondir+0x5d>
ffffffff8117a5cd:       eb 22                   jmp
ffffffff8117a5f1 <au_do_open_nondir+0x50>
}

static inline void au_set_fbstart(struct file *file, aufs_bindex_t
bindex)
{
        FiMustWriteLock(file);
        au_fi(file)->fi_btop = bindex;
ffffffff8117a5cf:       48 8b 83 c0 00 00 00    mov    0xc0(%rbx),%rax
        h_file = au_h_open(dentry, bindex, flags, file);
        if (IS_ERR(h_file))
                err = PTR_ERR(h_file);
        else {
                au_set_fbstart(file, bindex);
                au_set_h_fptr(file, bindex, h_file);
ffffffff8117a5d6:       44 89 e6                mov    %r12d,%esi
ffffffff8117a5d9:       48 89 df                mov    %rbx,%rdi
ffffffff8117a5dc:       44 88 68 38             mov
%r13b,0x38(%rax)    <============ crash point
ffffffff8117a5e0:       e8 b0 e1 ff ff          callq
ffffffff81178795 <au_set_h_fptr>
                au_update_figen(file);
ffffffff8117a5e5:       48 89 df                mov    %rbx,%rdi
ffffffff8117a5e8:       e8 b7 df ff ff          callq
ffffffff811785a4 <au_update_figen>
ffffffff8117a5ed:       31 c0                   xor    %eax,%eax
ffffffff8117a5ef:       eb 05                   jmp
ffffffff8117a5f6 <au_do_open_nondir+0x55>
ffffffff8117a5f1:       b8 fe ff ff ff          mov
$0xfffffffe,%eax
                /* file->f_ra = h_file->f_ra; */
        }

Reading symbols from /tmp/vmlinux...done.
(gdb) list *(au_do_open_nondir+0x3b)
0xffffffff8117a5dc is in au_do_open_nondir
(/bld/kernel/rpmbuild/linux-3.4/fs/aufs/file.h:188).
warning: Source file is more recent than executable.
183     }
184
185     static inline void au_set_fbstart(struct file *file,
aufs_bindex_t bindex)
186     {
187             FiMustWriteLock(file);
188             au_fi(file)->fi_btop = bindex;
189     }
190
191     static inline void au_set_fbend_dir(struct file *file,
aufs_bindex_t bindex)
192     {
(gdb)