lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20130311140646.GA5266@gmail.com>
Date:	Mon, 11 Mar 2013 22:06:46 +0800
From:	Zheng Liu <gnehzuil.liu@...il.com>
To:	Jan Kara <jack@...e.cz>
Cc:	linux-ext4@...r.kernel.org
Subject: Re: [BUG][data=journal] general protection fault is hitted when we
 run xfstests #074

On Mon, Mar 11, 2013 at 02:27:17PM +0100, Jan Kara wrote:
> On Fri 08-03-13 20:55:45, Zheng Liu wrote:
> > On Thu, Mar 07, 2013 at 01:26:38PM +0100, Jan Kara wrote:
> > > On Thu 07-03-13 20:20:19, Zheng Liu wrote:
> > > > Hi all,
> > > > 
> > > > This bug can be hitted in 3.8 kernel, and it doesn't be fixed in dev
> > > > branch.  When #074 runs in a ext4 file system with '-o data=journal', I
> > > > will get a general protection fault in my sand box.  I need to run
> > > > several times to hit this bug.
> > > > 
> > > > My sand box is a Dell Desktop with a Intel(R) Core(TM)2 Duo CPU E8400
> > > > @ 3.00GHz, 4G memory, a 160G HDD and a Intel SSD.  The test runs against
> > > > SSD.
> > > > 
> > > > The messages from dmesg:
> > > > 
> > > > wenqing: run xfstest 074
> > > > kernel: EXT4-fs (sda1): mounted filesystem with journalled data mode.
> > > > Opts: acl,user_xattr,data=journal
> > > > kernel: EXT4-fs (sda1): mounted filesystem with journalled data mode.
> > > > Opts: acl,user_xattr,data=journal
> > > > kernel: EXT4-fs (sda1): mounted filesystem with journalled data mode.
> > > > Opts: acl,user_xattr,data=journal
> > > > kernel: EXT4-fs (sda1): mounted filesystem with journalled data mode.
> > > > Opts: acl,user_xattr,data=journal
> > > > kernel: general protection fault: 0000 [#1] SMP 
> > > > kernel: Modules linked in: ext4 jbd2 crc16 cpufreq_ondemand ipv6
> > > > dm_mirror dm_region_hash dm_log dm_mod parport_pc parport dcdbas
> > > > acpi_cpufreq mperf sg button pcspkr serio_raw i2c_i801 i2c_core ehci_pci
> > > > ehci_hcd e1000e ext3 jbd sd_mod ahci libahci libata scsi_mod uhci_hcd
> > > > kernel: CPU 1 
> > > > kernel: Pid: 2786, comm: flush-8:0 Not tainted 3.8.0 #1 Dell Inc.
> > > > OptiPlex 780                 /0V4W66
> > > > kernel: RIP: 0010:[<ffffffffa01da0a0>]  [<ffffffffa01da0a0>]
> > > > jbd2_journal_dirty_metadata+0x147/0x211 [jbd2]
> > > > kernel: RSP: 0000:ffff880107a93868  EFLAGS: 00010206
> > > > kernel: RAX: 0000000000000000 RBX: ffff88010a674540 RCX: 5c5c5c5c5c5c5c5c
> > > > kernel: RDX: 000000000034402d RSI: ffff88010a674540 RDI: ffff880105bd6ca0
> > > > kernel: RBP: ffff880107a938b8 R08: 0000000000000000 R09: 0000000000000000
> > > > kernel: R10: ffff880105bd6ca0 R11: 000000000000000c R12: ffff88008e4ee518
> > > > kernel: R13: ffff8801114fb800 R14: ffff880105bd6ca0 R15: ffff88010a658c80
> > > > kernel: FS:  0000000000000000(0000) GS:ffff880117c40000(0000)
> > > > knlGS:0000000000000000
> > > > kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
> > > > kernel: CR2: 00007f60256a5000 CR3: 0000000117834000 CR4: 00000000000407e0
> > > > kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > > > kernel: DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> > > > kernel: Process flush-8:0 (pid: 2786, threadinfo ffff880107a92000, task
> > > > ffff880112cde6b0)
> > > > kernel: Stack:
> > > > kernel: ffff880105bd6ca0 0000000000001000 ffff880107a938a8 ffffffffa01da6de
> > > > kernel: ffff8801114fb868 0000000000000000 00000000000003bf ffffffffa023f0e0
> > > > kernel: ffff88010a674540 0000000000001000 ffff880107a938f8 ffffffffa022bb07
> > > > kernel: Call Trace:
> > > > kernel: [<ffffffffa01da6de>] ? jbd2_journal_get_write_access+0x36/0x40 [jbd2]
> > > > kernel: [<ffffffffa022bb07>] __ext4_handle_dirty_metadata+0xd7/0xe6 [ext4]
> > > > kernel: [<ffffffffa01ff4a5>] write_end_fn+0x37/0x3d [ext4]
> > > > kernel: [<ffffffffa01ff167>] ext4_walk_page_buffers+0x65/0x9b [ext4]
> > > > kernel: [<ffffffffa01ff46e>] ? ext4_nonda_switch+0xbd/0xbd [ext4]
> > > > kernel: [<ffffffffa0203367>] __ext4_journalled_writepage+0x156/0x1ee [ext4]
> > > > kernel: [<ffffffffa0203c10>] ext4_writepage+0x1b8/0x20d [ext4]
> > > > kernel: [<ffffffff820b7ab4>] __writepage+0x17/0x30
> > > > kernel: [<ffffffff820b8554>] write_cache_pages+0x276/0x37f
> > > > kernel: [<ffffffff820b7a9d>] ? set_page_dirty+0x64/0x64
> > > > kernel: [<ffffffff820b86a2>] generic_writepages+0x45/0x5c
> > > > kernel: [<ffffffff820b86e0>] do_writepages+0x27/0x29
> > > > kernel: [<ffffffff8210fc93>] __writeback_single_inode+0x48/0x119
> > > > kernel: [<ffffffff82110e7c>] writeback_sb_inodes+0x1ec/0x2fd
> > > > kernel: [<ffffffff82110fff>] __writeback_inodes_wb+0x72/0xb0
> > > > kernel: [<ffffffff821111ee>] wb_writeback+0x13e/0x230
> > > > kernel: [<ffffffff820b8dae>] ? global_dirty_limits+0x36/0x134
> > > > kernel: [<ffffffff821114aa>] wb_do_writeback+0x1ca/0x1ea
> > > > kernel: [<ffffffff8211158c>] bdi_writeback_thread+0xc2/0x1e2
> > > > kernel: [<ffffffff821114ca>] ? wb_do_writeback+0x1ea/0x1ea
> > > > kernel: [<ffffffff821114ca>] ? wb_do_writeback+0x1ea/0x1ea
> > > > kernel: [<ffffffff8204eadf>] kthread+0xb5/0xbd
> > > > kernel: [<ffffffff8204ea2a>] ? kthread_freezable_should_stop+0x65/0x65
> > > > kernel: [<ffffffff8238689c>] ret_from_fork+0x7c/0xb0
> > > > kernel: [<ffffffff8204ea2a>] ? kthread_freezable_should_stop+0x65/0x65
> > > > kernel: Code: 08 49 8b 4c 24 28 4c 39 f9 0f 84 81 00 00 00 4d 8b 4d 58 31 c0
> > > > 4c 39 c9 74 36 4d 85 c9 74 04 41 8b 41 08 45 31 c0 48 85 c9 74 04 <44> 8b 41
> > > > 08 48 8b 53 18 49 8d b5 58 03 00 00 89 04 24 48 c7 c7 
> > > > kernel: RIP  [<ffffffffa01da0a0>] jbd2_journal_dirty_metadata+0x147/0x211 [jbd2]
> > > > kernel: RSP <ffff880107a93868>
> > > > kernel: ---[ end trace d8e02cf12f9b2b79 ]---
> > >   Hum, clearly we hit some poison value (RCX which was dereferenced was
> > > 0x5c5c5c5c5c5c5c5c). Can you post full disassembly of
> > > jbd2_journal_dirty_metadata()? I was trying to match decoded 'Code' section
> > > with the C code but I failed...
> > 
> > Sorry for the delay.  Here is the result that I use 'objdump -r -S -l
> > --disassemble fs/jbd2/jbd2.ko' to generate.  Hope it's useful for you.
> > 
> > Sorry I don't have time to look at it carefully.  Please let me know if
> > you need some details.
>   Thanks for the debug data. So we oops on dereferencing jh->b_transaction
> because it is 0x5c5c5c5c5c5c5c5c which is JBD2_POISON_FREE. So clearly the
> journal head we have has been freed. Not sure yet how that can happen
> though.

Yup, but I don't think it is a very urgent bug because I need to run a
stress test case a lot of times to hit it, and in practice we don't
receive any report yet.  Certainly we need to keep it in mind.

Regards,
                                                - Zheng
--
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists