xfs_perag_put NULL deference BUG

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

(Please CC, not subscribed)

I have an archival setup that makes heavy use of hardlinks, and recently, it
started needing inode64 (refused to create any more files until I remounted w/
inode64), and shortly thereafter it went really bad and now after making some
new files, I get this OOPS and write access to any XFS filesystem on the
machine stops.

xfs_check and xfs_repair claim the filesystem is fine, so I wonder if I've just
run into some corner-case.

Filesystem stats:
Approx 120K inodes, 6M files.
Allocated space: 900GiB (on LVM, single volume)
Actual size: 787GiB
Apparent size: 23.5TiB
Hardlink count per inode: mean 51, mode 116, median 33, max 595, min 1.

[ 5674.213688] BUG: unable to handle kernel NULL pointer dereference at 000000000000000c
[ 5674.214095] IP: [<ffffffff812391fc>] xfs_perag_put+0x14/0x6d
[ 5674.214305] PGD 229e7b000 
[ 5674.214506] Oops: 0002 [#1] SMP 
[ 5674.214708] last sysfs file: /sys/devices/pci0000:00/0000:00:1c.4/0000:0d:00.0/net/eth0/broadcast
[ 5674.215108] CPU 0 
[ 5674.215113] Modules linked in: xt_comment sch_htb nf_conntrack_ipv4 nf_defrag_ipv4 xt_state iptable_filter ipt_addrtype xt_dscp xt_string xt_owner xt_multiport xt_iprange xt_hashlimit xt_conntrack xt_DSCP xt_NFQUEUE xt_mark xt_connmark nf_conntrack ip_tables ipv6 evdev tpm_tis i2c_i801 container tpm iTCO_wdt sg i2c_core tpm_bios processor thermal iTCO_vendor_support thermal_sys ghes hed i3200_edac hwmon button edac_core
[ 5674.216585] 
[ 5674.216782] Pid: 26699, comm: rsync Not tainted 2.6.36-hardened-r4-infra17 #3 X7SBi/X7SBi
[ 5674.217180] RIP: 0010:[<ffffffff812391fc>]  [<ffffffff812391fc>] xfs_perag_put+0x14/0x6d
[ 5674.217452] RSP: 0018:ffff8801a54556c8  EFLAGS: 00010292
[ 5674.217452] RAX: 00000000ffffffff RBX: ffff8801794498c8 RCX: 0000000000000000
[ 5674.217452] RDX: ffff8801a5455864 RSI: 0000000000000004 RDI: 0000000000000000
[ 5674.217452] RBP: ffff8801a54556f8 R08: ffff8801a54556f8 R09: 0000000000000000
[ 5674.217452] R10: ffffffff8123e232 R11: 0000000000000001 R12: ffff8801794497c0
[ 5674.217452] R13: 0000000000000000 R14: ffff8801a5455978 R15: ffff88022d62bc00
[ 5674.217452] FS:  000002a093f506f0(0000) GS:ffff880002600000(0000) knlGS:0000000000000000
[ 5674.217452] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 5674.217452] CR2: 000000000000000c CR3: 0000000001638000 CR4: 00000000000006f0
[ 5674.217452] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 5674.217452] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 5674.217452] Process rsync (pid: 26699, threadinfo ffff8801a5454000, task ffff88022960f570)
[ 5674.217452] Stack:
[ 5674.217452]  00000004a54556f8 ffff8801794498c8 ffff8801794497c0 0000000000000000
[ 5674.217452] <0> ffff8801a5455978 ffff88022d62bc00 ffff8801a5455788 ffffffff8120ef52
[ 5674.217452] <0> ffff8801a5455738 0000ffff810b6ebd ffff88022960fad8 ffff8801a5455864
[ 5674.217452] Call Trace:
[ 5674.217452]  [<ffffffff8120ef52>] xfs_bmap_btalloc_nullfb+0x20e/0x2b4
[ 5674.217452]  [<ffffffff810b77a5>] ? find_or_create_page+0x31/0x85
[ 5674.217452]  [<ffffffff8120f1e7>] xfs_bmap_btalloc+0x1ef/0x5b8
[ 5674.217452]  [<ffffffff8120abe5>] ? xfs_bmap_search_multi_extents+0x63/0xda
[ 5674.217452]  [<ffffffff8120f5b9>] xfs_bmap_alloc+0x9/0xb
[ 5674.217452]  [<ffffffff8121146f>] xfs_bmapi+0x6c2/0xd62
[ 5674.217452]  [<ffffffff812462b6>] ? xfs_buf_rele+0xe6/0xf2
[ 5674.217452]  [<ffffffff8121b965>] xfs_dir2_grow_inode+0x11d/0x32b
[ 5674.217452]  [<ffffffff8124d8f6>] ? xfs_setup_inode+0x244/0x24d
[ 5674.217452]  [<ffffffff81242a09>] ? kmem_free+0x26/0x2f
[ 5674.217452]  [<ffffffff812285ec>] ? xfs_idata_realloc+0x3f/0x109
[ 5674.217452]  [<ffffffff8121c538>] xfs_dir2_sf_to_block+0xda/0x5ae
[ 5674.217452]  [<ffffffff81613956>] ? _raw_spin_lock+0x9/0xd
[ 5674.217452]  [<ffffffff812234bb>] xfs_dir2_sf_addname+0x1d8/0x507
[ 5674.217452]  [<ffffffff810eb1cd>] ? kmem_cache_alloc+0x193/0x1fe
[ 5674.217452]  [<ffffffff8121c332>] xfs_dir_createname+0xee/0x15a
[ 5674.217452]  [<ffffffff81240203>] xfs_link+0x1f1/0x293
[ 5674.217452]  [<ffffffff8124d36f>] xfs_vn_link+0x3a/0x62
[ 5674.217452]  [<ffffffff810fce7f>] vfs_link+0xfd/0x186
[ 5674.217452]  [<ffffffff81100384>] sys_linkat+0x10a/0x183
[ 5674.217452]  [<ffffffff810f6b02>] ? sys_newlstat+0x2c/0x3b
[ 5674.217452]  [<ffffffff81100416>] sys_link+0x19/0x1b
[ 5674.217452]  [<ffffffff810035a7>] system_call_fastpath+0x16/0x1b
[ 5674.217452] Code: 0e 98 00 00 41 3b 5c 24 70 72 d0 5f 5b 41 5c 41 5d 41 5e 41 5f c9 c3 55 83 c8 ff 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 08 <f0> 0f c1 47 0c 71 05 89 47 0c cd 04 83 3d 59 d6 84 00 00 44 8d 
[ 5674.217452] RIP  [<ffffffff812391fc>] xfs_perag_put+0x14/0x6d
[ 5674.217452]  RSP <ffff8801a54556c8>
[ 5674.217452] CR2: 000000000000000c
[ 5674.217452] ---[ end trace 9c6412348052de21 ]---

The following are the only changes to XFS in the hardened kernel patchset. I
don't think they should cause any problems. But I wanted to be clear as to what
code I was running.

diff -Nuar linux-2.6.36.4/fs/xfs/linux-2.6/xfs_ioctl.c linux-2.6.36-hardened-r4/fs/xfs/linux-2.6/xfs_ioctl.c
--- linux-2.6.36.4/fs/xfs/linux-2.6/xfs_ioctl.c	2010-10-20 20:30:22.000000000 +0000
+++ linux-2.6.36-hardened-r4/fs/xfs/linux-2.6/xfs_ioctl.c	2010-12-02 19:32:15.000000000 +0000
@@ -127,7 +127,7 @@
 	}
 
 	error = -EFAULT;
-	if (copy_to_user(hreq->ohandle, &handle, hsize) ||
+	if (hsize > sizeof(handle) || copy_to_user(hreq->ohandle, &handle, hsize) ||
 	    copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32)))
 		goto out_put;
 
@@ -416,7 +416,7 @@
 	if (IS_ERR(dentry))
 		return PTR_ERR(dentry);
 
-	kbuf = kmalloc(al_hreq.buflen, GFP_KERNEL);
+	kbuf = kzalloc(al_hreq.buflen, GFP_KERNEL);
 	if (!kbuf)
 		goto out_dput;
 
diff -Nuar linux-2.6.36.4/fs/xfs/linux-2.6/xfs_iops.c linux-2.6.36-hardened-r4/fs/xfs/linux-2.6/xfs_iops.c
--- linux-2.6.36.4/fs/xfs/linux-2.6/xfs_iops.c	2010-10-20 20:30:22.000000000 +0000
+++ linux-2.6.36-hardened-r4/fs/xfs/linux-2.6/xfs_iops.c	2010-12-02 19:32:15.000000000 +0000
@@ -472,7 +472,7 @@
 	struct nameidata *nd,
 	void		*p)
 {
-	char		*s = nd_get_link(nd);
+	const char	*s = nd_get_link(nd);
 
 	if (!IS_ERR(s))
 		kfree(s);
diff -Nuar linux-2.6.36.4/fs/xfs/xfs_bmap.c linux-2.6.36-hardened-r4/fs/xfs/xfs_bmap.c
--- linux-2.6.36.4/fs/xfs/xfs_bmap.c	2010-10-20 20:30:22.000000000 +0000
+++ linux-2.6.36-hardened-r4/fs/xfs/xfs_bmap.c	2010-12-02 19:32:15.000000000 +0000
@@ -287,7 +287,7 @@
 	int			nmap,
 	int			ret_nmap);
 #else
-#define	xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
+#define	xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
 #endif /* DEBUG */
 
 STATIC int


-- 
Robin Hugh Johnson
Gentoo Linux: Developer, Trustee & Infrastructure Lead
E-Mail     : robbat2@xxxxxxxxxx
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]
  Powered by Linux