lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <464CB577.5080106@googlemail.com>
Date:	Thu, 17 May 2007 22:05:11 +0200
From:	Michal Piotrowski <michal.k.k.piotrowski@...il.com>
To:	Christoph Hellwig <hch@....de>
CC:	xfs-masters@....sgi.com, Andrew Morton <akpm@...ux-foundation.org>,
	David Chinner <dgc@....com>, linux-kernel@...r.kernel.org
Subject: Re: [xfs-masters] Re: 2.6.22-rc1-mm1

Hi Christoph,

Christoph Hellwig napisaƂ(a):
> On Thu, May 17, 2007 at 12:06:00PM +1000, David Chinner wrote:
>>> static inline int put_page_testzero(struct page *page)
>>> {
>>> 	VM_BUG_ON(atomic_read(&page->_count) == 0);
>>> 	return atomic_dec_and_test(&page->_count);
>>> }
>> I haven't seen that one. I expect that it will be the noaddr buffer allocation
>> changes that have triggered this...
> 
> Yes.   xfs_buf_get_noaddr calls xfs_buf_free to free a buffer when
> something fails.  But this is wrong - we want to call xfs_buf_deallocate
> before we setup the page list, and if a page allocation fails we want to
> do out own freeing of just the pages we allocated and call
> _xfs_buf_free_pages.  Currently we do our own freeing _and_ call
> xfs_buf_free which leads to this double free.
> 
> 
> Signed-off-by: Christoph Hellwig <hch@....de>
> 
> 
> Index: linux-2.6/fs/xfs/linux-2.6/xfs_buf.c
> ===================================================================
> --- linux-2.6.orig/fs/xfs/linux-2.6/xfs_buf.c	2007-05-17 09:34:44.000000000 +0200
> +++ linux-2.6/fs/xfs/linux-2.6/xfs_buf.c	2007-05-17 09:36:53.000000000 +0200
> @@ -792,8 +792,9 @@ xfs_buf_get_noaddr(
>   fail_free_mem:
>   	while (--i >= 0)
>  		__free_page(bp->b_pages[i]);
> +	_xfs_buf_free_pages(bp);
>   fail_free_buf:
> -	xfs_buf_free(bp);
> +	xfs_buf_deallocate(bp);
>   fail:
>  	return NULL;
>  }

I applied your patch and I get another oops

[  261.491499] XFS mounting filesystem loop0
[  261.501641] Ending clean XFS mount for filesystem: loop0
[  261.507698] SELinux: initialized (dev loop0, type xfs), uses xattr
[  261.567441] XFS mounting filesystem loop0
[  261.573931] allocation failed: out of vmalloc space - use vmalloc=<size> to increase size.
[  261.582935] xfs_buf_get_noaddr: failed to map pages
[  261.592478] Ending clean XFS mount for filesystem: loop0
[  261.618543] SELinux: initialized (dev loop0, type xfs), uses xattr
[  261.691563] XFS mounting filesystem loop0
[  261.698927] allocation failed: out of vmalloc space - use vmalloc=<size> to increase size.
                                  ^^^^^^^^^^^^^^^^^^^^
                                  interesting

[  261.724829] xfs_buf_get_noaddr: failed to map pages
[  261.734049] Ending clean XFS mount for filesystem: loop0
[  261.741069] SELinux: initialized (dev loop0, type xfs), uses xattr
[  261.978728] XFS mounting filesystem loop0
[  262.205863] xfs_buf_get_noaddr: failed to map pages
[  262.212523] Ending clean XFS mount for filesystem: loop0
[  262.218084] SELinux: initialized (dev loop0, type xfs), uses xattr
[..]
[  265.842566] xfs_buf_get_noaddr: failed to map pages
[  265.848267] xfs_buf_get_noaddr: failed to map pages
[  265.856480] Ending clean XFS mount for filesystem: loop0
[  265.862260] SELinux: initialized (dev loop0, type xfs), uses xattr
[  265.921288] XFS mounting filesystem loop0
[  265.927123] xfs_buf_get_noaddr: failed to map pages
[  265.932575] BUG: unable to handle kernel NULL pointer dereference at virtual address 00000000
[  265.942886]  printing eip:
[  265.945665] fdc8e82a
[  265.948818] *pde = 00000000
[  265.952378] Oops: 0002 [#1]
[  265.955241] PREEMPT SMP 
[  265.957868] Modules linked in: xfs loop ipt_MASQUERADE iptable_nat nf_nat autofs4 af_packet nf_conntrack_netbios_ns ipt_REJECT nf_conntrack_ipv4 xt_state nf_conntrack nfnetlink iptable_filter ip_tables ip6t_REJECT xt_tcpudp ip6table_filter ip6_tables x_tables ipv6 binfmt_misc thermal processor fan container nvram snd_intel8x0 snd_ac97_codec ac97_bus snd_seq_dummy snd_seq_oss snd_seq_midi_event snd_seq snd_seq_device snd_pcm_oss snd_mixer_oss snd_pcm evdev intel_agp agpgart snd_timer snd soundcore snd_page_alloc i2c_i801 ide_cd cdrom rtc unix
[  266.007064] CPU:    0
[  266.007065] EIP:    0060:[<fdc8e82a>]    Not tainted VLI
[  266.007066] EFLAGS: 00010246   (2.6.22-rc1-mm1 #5)
[  266.019641] EIP is at xfs_buf_cond_lock+0x8/0x1f [xfs]
[  266.024853] eax: 00000000   ebx: ce3e9100   ecx: 00000000   edx: 00000001
[  266.031768] esi: ccf8b628   edi: ccf8b5d8   ebp: d04beb20   esp: d04beb20
[  266.038692] ds: 007b   es: 007b   fs: 00d8  gs: 0033  ss: 0068
[  266.044615] Process mount (pid: 7206, ti=d04be000 task=cdcb74f0 task.ti=d04be000)
[  266.052090] Stack: d04beb60 fdc75a12 00000005 fdc99174 00080020 00000000 ccf72c70 c992e5b0 
[  266.060680]        ccf8b6f0 00000007 c0875244 00000000 d04beb70 00080020 00000000 c992e5b0 
[  266.069247]        d04beb90 fdc75cd1 00080020 00000000 00002580 fdc8ccda c992e5f0 c992e5b0 
[  266.077866] Call Trace:
[  266.080611]  [<fdc75a12>] xlog_alloc_log+0x1b9/0x2cd [xfs]
[  266.086286]  [<fdc75cd1>] xfs_log_mount+0x6b/0xf1 [xfs]
[  266.091688]  [<fdc7ec47>] xfs_mountfs+0x959/0xc4a [xfs]
[  266.097097]  [<fdc714f6>] xfs_ioinit+0x26/0x2c [xfs]
[  266.102240]  [<fdc85692>] xfs_mount+0x2e5/0x358 [xfs]
[  266.107474]  [<fdc95b72>] vfs_mount+0x1a/0x1e [xfs]
[  266.112563]  [<fdc95a2c>] xfs_fs_fill_super+0x76/0x1a2 [xfs]
[  266.118433]  [<c0185987>] get_sb_bdev+0x105/0x143
[  266.123260]  [<fdc94d63>] xfs_fs_get_sb+0x21/0x27 [xfs]
[  266.128709]  [<c0185509>] vfs_kern_mount+0x81/0xf1
[  266.133589]  [<c0199b59>] do_mount+0x716/0x80d
[  266.138145]  [<c0199cd0>] sys_mount+0x80/0xb5
[  266.142595]  [<c01041d0>] syscall_call+0x7/0xb
[  266.147170]  [<b7fe6410>] 0xb7fe6410
[  266.150822]  =======================
[  266.154445] INFO: lockdep is turned off.
[  266.158411] Code: be 20 00 00 00 89 f2 29 c2 83 c8 ff 88 d1 d3 e0 29 de 89 f1 d3 e8 5b 5e 5d c3 55 89 e5 90 ff 40 7c 5d c3 55 89 e5 89 c1 31 c0 90 <ff> 09 79 07 8d 01 e8 d7 17 6c c2 83 f8 01 19 c0 f7 d0 83 e0 f0 
[  266.178534] EIP: [<fdc8e82a>] xfs_buf_cond_lock+0x8/0x1f [xfs] SS:ESP 0068:d04beb20
[  266.347522] XFS: Filesystem loop1 has duplicate UUID - can't mount
[  266.415823] XFS: Filesystem loop1 has duplicate UUID - can't mount
[  266.477997] XFS: Filesystem loop1 has duplicate UUID - can't mount
[  266.541940] XFS: Filesystem loop1 has duplicate UUID - can't mount

http://www.stardust.webpages.pl/files/tbf/bitis-gabonica/2.6.22-rc1-mm1/mm-dmesg3
http://www.stardust.webpages.pl/files/tbf/bitis-gabonica/2.6.22-rc1-mm1/mm-config

Regards,
Michal

-- 
Michal K. K. Piotrowski
Kernel Monkeys
(http://kernel.wikidot.com/start)
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ