Re: Filesystem fuzzing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, 2008-05-21 at 17:10 +0200, Eric Sesterhenn wrote:
> * Eric Sesterhenn (snakebyte@xxxxxx) wrote:
> 
> since i forgot the CCs on the last msg i do a fullquote, sorry for this
> 
> > and here is another one:
> > 
> > [  458.684137] BUG: unable to handle kernel paging request at e0171576
> > [  458.684348] IP: [<c0323eab>] dbFindLeaf+0x2b/0xb0
> > [  458.684348] Oops: 0000 [#1] PREEMPT DEBUG_PAGEALLOC
> > [  458.684348] Modules linked in: nfsd exportfs
> > [  458.684348] 
> > [  458.684348] Pid: 4831, comm: fsstress Not tainted
> > (2.6.26-rc3-00243-gd40ace0 #26)
> > [  458.684348] EIP: 0060:[<c0323eab>] EFLAGS: 00010206 CPU: 0
> > [  458.684348] EIP is at dbFindLeaf+0x2b/0xb0
> > [  458.684348] EAX: 00000000 EBX: ca81c010 ECX: 15955555 EDX: 05655555
> > [  458.684348] ESI: 00cefff6 EDI: 00000000 EBP: ca8bd9a4 ESP: ca8bd984
> > [  458.684348]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
> > [  458.684348] Process fsstress (pid: 4831, ti=ca8bd000 task=ca87af40
> > task.ti=ca8bd000)
> > [  458.684348] Stack: ca8bd9d4 c033017d 00000000 000007a6 ca8bd9c4
> > ca859000 00000000 ca81c000 
> > [  458.684348]        ca8bd9d4 c0324bb0 c1152380 00000000 00000046
> > f21e31e8 00000001 ca848000 
> > [  458.684348]        c01441ad ca859000 00000000 00000000 ca8bda28
> > c0324fa3 00000000 ca8bdb7c 
> > [  458.684348] Call Trace:
> > [  458.684348]  [<c033017d>] ? __get_metapage+0xed/0x3d0
> > [  458.684348]  [<c0324bb0>] ? dbAllocDmapLev+0x50/0xc0
> > [  458.684348]  [<c01441ad>] ? put_lock_stats+0xd/0x30
> > [  458.684348]  [<c0324fa3>] ? dbAllocCtl+0x383/0x3d0
> > [  458.684348]  [<c01441ad>] ? put_lock_stats+0xd/0x30
> > [  458.684348]  [<c032512d>] ? dbAllocAG+0x9d/0x450
> > [  458.684348]  [<c013bfd6>] ? down_write_nested+0x76/0x90
> > [  458.684348]  [<c03258d5>] ? dbAlloc+0x145/0x570
> > [  458.684348]  [<c05fed37>] ? _spin_unlock+0x27/0x50
> > [  458.684348]  [<c03289c0>] ? add_index+0x2b0/0x520
> > [  458.684348]  [<c0146ef4>] ? __lock_acquire+0x2c4/0x1120
> > [  458.684348]  [<c010974f>] ? native_sched_clock+0x7f/0xb0
> > [  458.684348]  [<c0328ed4>] ? dtInsertEntry+0x114/0x4b0
> > [  458.684348]  [<c05fed37>] ? _spin_unlock+0x27/0x50
> > [  458.684348]  [<c032c53f>] ? dtInsert+0x27f/0x19e0
> > [  458.684348]  [<c010974f>] ? native_sched_clock+0x7f/0xb0
> > [  458.684348]  [<c017a131>] ? check_bytes_and_report+0x21/0xc0
> > [  458.684348]  [<c0146ef4>] ? __lock_acquire+0x2c4/0x1120
> > [  458.684348]  [<c032aa41>] ? dtSearch+0x721/0x9f0
> > [  458.684348]  [<c032aa41>] ? dtSearch+0x721/0x9f0
> > [  458.684348]  [<c010974f>] ? native_sched_clock+0x7f/0xb0
> > [  458.684348]  [<c05fed37>] ? _spin_unlock+0x27/0x50
> > [  458.684348]  [<c0330018>] ? force_metapage+0x8/0x80
> > [  458.684348]  [<c03187e2>] ? jfs_create+0x212/0x360
> > [  458.684348]  [<c010974f>] ? native_sched_clock+0x7f/0xb0
> > [  458.684348]  [<c03387b0>] ? jfs_permission+0x0/0x10
> > [  458.684348]  [<c01880b4>] ? vfs_create+0xa4/0x100
> > [  458.684348]  [<c018b223>] ? do_filp_open+0x683/0x780
> > [  458.684348]  [<c010974f>] ? native_sched_clock+0x7f/0xb0
> > [  458.684348]  [<c05fed37>] ? _spin_unlock+0x27/0x50
> > [  458.684348]  [<c017e1a9>] ? do_sys_open+0x49/0xe0
> > [  458.684348]  [<c017e2a9>] ? sys_open+0x29/0x40
> > [  458.684348]  [<c017e2e1>] ? sys_creat+0x21/0x30
> > [  458.684348]  [<c0103d7d>] ? sysenter_past_esp+0x6a/0xb1
> > [  458.684348]  =======================
> > [  458.684348] Code: 55 89 e5 57 89 d7 56 be e4 ff ff ff 53 89 c3 83 ec
> > 14 89 4d f0 0f be 40 11 39 d0 7c 74 8b 73 0c 31 c0 85 f6 7e 5f b9 01 00
> > 00 00 <0f> be 44 19 11 39 c7 7e 67 8d 51 01 0f be 44 1a 1jfs.18.img.bz21 39 c7 7e 5d 
> > [  458.684348] EIP: [<c0323eab>] dbFindLeaf+0x2b/0xb0 SS:ESP
> > 0068:ca8bd984
> > [  458.684348] ---[ end trace 6c51bcbd2c170a69 ]---
> > 
> > The image can be found at http://www.cccmz.de/~snakebyte/jfs.18.img.bz2
> > 

I think I see the problem here.  JFS isn't sanity-checking all the
values it uses to access elements in an array.  I'll take a little more
time to make sure I get this fix right.

> 
> and i just got another one... 
> 
> [ 2223.316259] ERROR: (device loop0): XT_GETPAGE: xtree page corrupt
> [ 2223.322958] ERROR: (device loop0): XT_GETPAGE: xtree page corrupt
> [ 2231.555219] ------------[ cut here ]------------
> [ 2231.555344] WARNING: at kernel/mutex.c:134
> mutex_lock_nested+0x252/0x2a0()
> [ 2231.555346] Modules linked in: nfsd exportfs
> [ 2231.555346] Pid: 8081, comm: mkdir Not tainted
> 2.6.26-rc3-00243-gd40ace0 #26
> [ 2231.555346]  [<c01252c4>] warn_on_slowpath+0x54/0x70
> [ 2231.555346]  [<c01441ad>] ? put_lock_stats+0xd/0x30
> [ 2231.555346]  [<c010974f>] ? native_sched_clock+0x7f/0xb0
> [ 2231.555346]  [<c01465db>] ? mark_held_locks+0x4b/0x80
> [ 2231.555346]  [<c05fcf8c>] ? __mutex_unlock_slowpath+0xac/0x140
> [ 2231.555346]  [<c014676d>] ? trace_hardirqs_on+0xbd/0x140
> [ 2231.555346]  [<c05fd282>] mutex_lock_nested+0x252/0x2a0
> [ 2231.555346]  [<c0321ec1>] ? diAlloc+0x211/0x6d0
> [ 2231.555346]  [<c0321ec1>] diAlloc+0x211/0x6d0
> [ 2231.555346]  [<c05fed37>] ? _spin_unlock+0x27/0x50
> [ 2231.555346]  [<c032e988>] ialloc+0x48/0x290
> [ 2231.555346]  [<c0318984>] jfs_mkdir+0x54/0x370
> [ 2231.555346]  [<c014686c>] ? debug_check_no_locks_freed+0x7c/0x130
> [ 2231.555346]  [<c010974f>] ? native_sched_clock+0x7f/0xb0
> [ 2231.555346]  [<c010974f>] ? native_sched_clock+0x7f/0xb0
> [ 2231.555346]  [<c03387b0>] ? jfs_permission+0x0/0x10
> [ 2231.555346]  [<c03387bd>] ? jfs_permission+0xd/0x10
> [ 2231.555346]  [<c0187e98>] vfs_mkdir+0x98/0xf0
> [ 2231.555346]  [<c05fed37>] ? _spin_unlock+0x27/0x50
> [ 2231.555346]  [<c018a436>] sys_mkdirat+0xd6/0xf0
> [ 2231.555346]  [<c013c176>] ? up_read+0x16/0x30
> [ 2231.555346]  [<c0118287>] ? do_page_fault+0x2c7/0x640
> [ 2231.555346]  [<c0103e67>] ? restore_nocheck+0x12/0x15
> [ 2231.555346]  [<c018a470>] sys_mkdir+0x20/0x30
> [ 2231.555346]  [<c0103d7d>] sysenter_past_esp+0x6a/0xb1
> [ 2231.555346]  =======================
> [ 2231.555346] ---[ end trace 91ffe6a3a3009964 ]---
> [ 2231.555346] BUG: unable to handle kernel NULL pointer dereference at
> 00000000
> [ 2231.555346] IP: [<c037b960>] __list_add+0x10/0x60
> [ 2231.555346] *pde = 00000000 
> [ 2231.555346] Oops: 0000 [#1] PREEMPT DEBUG_PAGEALLOC
> [ 2231.555346] Modules linked in: nfsd exportfs
> [ 2231.555346] 
> [ 2231.555346] Pid: 8081, comm: mkdir Tainted: G        W
> (2.6.26-rc3-00243-gd40ace0 #26)
> [ 2231.555346] EIP: 0060:[<c037b960>] EFLAGS: 00010046 CPU: 0
> [ 2231.555346] EIP is at __list_add+0x10/0x60
> [ 2231.555346] EAX: 00000000 EBX: c28c7d98 ECX: c2f9f890 EDX: 00000000
> [ 2231.555346] ESI: 00000246 EDI: c2f9f870 EBP: c28c7d70 ESP: c28c7d5c
> [ 2231.555346]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
> [ 2231.555346] Process mkdir (pid: 8081, ti=c28c7000 task=cbed2f40
> task.ti=c28c7000)
> [ 2231.555346] Stack: c0321ec1 c2f9f8a4 c2f9f86c 00000246 c2f9f86c
> c28c7db8 c05fd0e1 00000000 
> [ 2231.555346]        00000002 c0321ec1 c2f9f890 c0321ec1 00000000
> cbed2f40 c2f9f8a4 c28c7d98 
> [ 2231.555346]        c28c7d98 11111111 c2f9f86c c28c7d98 c390c2d4
> c2bdc000 00000010 c28c7e20 
> [ 2231.555346] Call Trace:
> [ 2231.555346]  [<c0321ec1>] ? diAlloc+0x211/0x6d0
> [ 2231.555346]  [<c05fd0e1>] ? mutex_lock_nested+0xb1/0x2a0
> [ 2231.555346]  [<c0321ec1>] ? diAlloc+0x211/0x6d0
> [ 2231.555346]  [<c0321ec1>] ? diAlloc+0x211/0x6d0
> [ 2231.555346]  [<c0321ec1>] ? diAlloc+0x211/0x6d0
> [ 2231.555346]  [<c05fed37>] ? _spin_unlock+0x27/0x50
> [ 2231.555346]  [<c032e988>] ? ialloc+0x48/0x290
> [ 2231.555346]  [<c0318984>] ? jfs_mkdir+0x54/0x370
> [ 2231.555346]  [<c014686c>] ? debug_check_no_locks_freed+0x7c/0x130
> [ 2231.555346]  [<c010974f>] ? native_sched_clock+0x7f/0xb0
> [ 2231.555346]  [<c010974f>] ? native_sched_clock+0x7f/0xb0
> [ 2231.555346]  [<c03387b0>] ? jfs_permission+0x0/0x10
> [ 2231.555346]  [<c03387bd>] ? jfs_permission+0xd/0x10
> [ 2231.555346]  [<c0187e98>] ? vfs_mkdir+0x98/0xf0
> [ 2231.555346]  [<c05fed37>] ? _spin_unlock+0x27/0x50
> [ 2231.555346]  [<c018a436>] ? sys_mkdirat+0xd6/0xf0
> [ 2231.555346]  [<c013c176>] ? up_read+0x16/0x30
> [ 2231.555346]  [<c0118287>] ? do_page_fault+0x2c7/0x640
> [ 2231.555346]  [<c0103e67>] ? restore_nocheck+0x12/0x15
> [ 2231.555346]  [<c018a470>] ? sys_mkdir+0x20/0x30
> [ 2231.555346]  [<c0103d7d>] ? sysenter_past_esp+0x6a/0xb1
> [ 2231.555346]  =======================
> [ 2231.555346] Code: 54 24 04 c7 04 24 10 98 73 c0 e8 cc a9 da ff 0f 0b
> eb fe 90 8d b4 26 00 00 00 00 55 89 e5 53 89 c3 83 ec 10 8b 41 04 39 d0
> 75 16 <8b> 10 39 ca 75 2c 89 5a 04 89 13 89 43 04 89 18 83 c4 10 5b 5d 
> [ 2231.555346] EIP: [<c037b960>] __list_add+0x10/0x60 SS:ESP
> 0068:c28c7d5c
> [ 2231.555346] ---[ end trace 91ffe6a3a3009964 ]---
> 
> 
> 
> image can be found at http://www.cccmz.de/~snakebyte/jfs.11.img.bz2

I'll take a closer look at this one.  A quick look isn't enough to
figure this one out.

> I guess i will stop torturing jfs until monday or so :-)

No problem.  I'll let you know when these are fixed.

> Greetings, Eric

Thanks,
Shaggy
-- 
David Kleikamp
IBM Linux Technology Center

--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]
  Powered by Linux