Re: fs: gpf in simple_setattr

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue 25-03-14 13:51:11, Sasha Levin wrote:
> On 03/25/2014 01:33 PM, Jan Kara wrote:
> >On Mon 24-03-14 20:44:14, Sasha Levin wrote:
> >>On 03/24/2014 05:48 PM, Jan Kara wrote:
> >>>>>[  339.948946] ** 4194304 ffff8805ac03ba38 [eventpoll] ffff8806ec051fe0
> >>>>>[eventpoll] ffffffff84666040 ffff88056c73e7b0           (null)
> >>>   OK, great. So finally we have something useful. We know we have problems
> >>>with [eventpoll] dentry. That is actually a special filesystem not mounted
> >>>anywhere - likely you get to that dentry through/proc/<pid>/fd/. Now
> >>>eventpoll is interesting because it uses single anon inode for all
> >>>eventpoll instances. And that inode should stay in place as long as
> >>>eventpoll filesystem exists. So it's not clear how come that inode is
> >>>freed. The basic check of handling of inode use count didn't find anything
> >>>suspicious. But I can check in more detail and if I fail, we now have a
> >>>pretty narrow area where to look...
> >>
> >>Seems like it's not specific to eventpoll, I saw the same error message with
> >>"eventfd" and "perf_event".
> >   Yup, all these use anon_inode_getfile() so it all points to the fact that
> >for some reason we freed anon_inode_inode. But I don't see where the
> >problem is. Can you maybe make 'anon_inode_inode' external to
> >fs/anon_inodes.c and dump stack for all iput() calls to anon_inode_inode?
> >There must be some suckers which don't belong there...
> 
> Okay, this is straightforward. It happened right after boot so we're lucky.
> 
> I'm also looking into that, but odds you'll spot the issue faster than me.
  Can you try whether the following patch fixes the issue for you?

							Thanks
								Honza
-- 
Jan Kara <jack@xxxxxxx>
SUSE Labs, CR
>From 08effd8156660b889af7df31c22695f1469d12ad Mon Sep 17 00:00:00 2001
From: Jan Kara <jack@xxxxxxx>
Date: Tue, 25 Mar 2014 21:37:09 +0100
Subject: [PATCH] fs: Avoid userspace mounting anon_inodefs filesystem

anon_inodefs filesystem is a kernel internal filesystem userspace
shouldn't mess with. Remove registration of it so userspace cannot
even try to mount it (which would fail anyway because the filesystem is
MS_NOUSER).

This fixes an oops triggered by trinity when it tried mounting
anon_inodefs which overwrote anon_inode_inode pointer while other CPU
has been in anon_inode_getfile() between ihold() and d_instantiate().
Thus effectively creating dentry pointing to an inode without holding a
reference to it.

Reported-by: Sasha Levin <sasha.levin@xxxxxxxxxx>
Signed-off-by: Jan Kara <jack@xxxxxxx>
---
 fs/anon_inodes.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/fs/anon_inodes.c b/fs/anon_inodes.c
index 24084732b1d0..4b4543b8b894 100644
--- a/fs/anon_inodes.c
+++ b/fs/anon_inodes.c
@@ -177,9 +177,6 @@ static int __init anon_inode_init(void)
 {
 	int error;
 
-	error = register_filesystem(&anon_inode_fs_type);
-	if (error)
-		goto err_exit;
 	anon_inode_mnt = kern_mount(&anon_inode_fs_type);
 	if (IS_ERR(anon_inode_mnt)) {
 		error = PTR_ERR(anon_inode_mnt);
-- 
1.8.1.4


[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]
  Powered by Linux